Product
Platform
Weekly briefings
Wellbeing check-ins
Help inbox
Cohort insights
Student workspace & timetable
Branding & white-label
Writing assistant
Before & after the six weeks
Rolling & staggered intakes
Trust Centre
Security
Privacy
Data residency
Compliance
Accessibility
Reliability
Legal
Subprocessors
HECVAT
Solutions
Why students leave
Student success & retention
Orientation & transition
Wellbeing & counselling
IT, security & procurement
First-year retention
Belonging & engagement
Early intervention
Support for Students obligation
Leading indicators
Join the waitlistView preview

Trust Centre

HECVAT

Our pre-filled HECVAT-Lite responses for your vendor security review: strong technical controls today, an honest list of what's still in progress, and the documents behind each answer.

Join the waitlist
 
View the preview
 

A vendor security questionnaire, answered before you ask

HECVAT, the Higher Education Community Vendor Assessment Toolkit, is the security questionnaire many universities run on a new vendor. Rather than make you send a blank one and wait, we keep a pre-filled HECVAT-Lite self-assessment that reflects the current state of First Six, and we are deliberately upfront about what is and isn't in place.

The short version: First Six meets or exceeds the technical controls a standard HECVAT looks for. The open items are independent attestation and process maturity, which we propose as milestones for a pilot rather than blockers.

Headline answers

AreaStatus
Data residency (Australia, AWS Sydney)Yes
Encryption in transit and at restYes
Single sign-on with institution-enforced MFAYes
Row-level tenant isolationYes
Append-only audit loggingYes
Data minimisation with small-cell suppressionYes
Student data used to train AINo
SOC 2 / ISO 27001On the roadmap
Third-party penetration testPlanned
Data Processing AgreementIn progress

HECVAT-Lite

Self-assessment available

Australia

Data residency

Row-level

Tenant isolation

SOC 2

On the roadmap

How to use our HECVAT in your review

You don't have to send a blank questionnaire and wait. This is the fast path.

01

Ask for the responses

Request our HECVAT-Lite self-assessment through your contact or procurement. We share it under NDA.

02

Check it against your checklist

The responses map to the standard HECVAT sections: company and documentation, data handling and privacy, authentication and access, application and infrastructure security, and hosting and business continuity.

03

Read the gaps, not just the ticks

We mark each item honestly as Yes, Partial, Planned, or No, with a note explaining it. A candid 'not yet, and here is the plan' is more useful to a reviewer than an optimistic yes a pen test would contradict.

04

Set milestones for a pilot

Where an item is still in progress, like SOC 2, a third-party pen test, or the DPA, we're happy to make it a contractual milestone for a pilot rather than a blocker.

What the answers cover

The five areas a HECVAT review walks, and where First Six stands today.

In place today

Encryption in transit and at rest, single sign-on with institution-enforced MFA, row-level tenant isolation, append-only audit logging, data minimisation with small-cell suppression, and a documented change-management process with testing in a separate non-production environment.

Data handling and privacy

Australian data residency, no student data used to train AI, deletion and export on request, and minimisation built in.

Access and isolation

OIDC single sign-on with Microsoft Entra live, role-based access, server-side session revocation, and row-level security across every table.

App and infrastructure

Security headers, CSRF protection, rate limiting, secrets kept out of source, and dependency hygiene. The content security policy runs in report-only while violations are reviewed.

Still in progress

SOC 2, ISO 27001, a third-party penetration test, a finalised DPA, and cyber insurance. We track these openly and propose them as pilot milestones.

Running a vendor assessment?

Ask for our HECVAT responses and the supporting document set, and we'll map them to your checklist.

Join the waitlist
 
View the preview
 

What we never do

Support means seeing the pattern, not the person. These limits are built into the product, not just promised in a policy.

We never sell or share student data

Student data is used to run First Six for your institution — never sold, rented, or handed to advertisers or data brokers. Full stop.

We never build watchlists

Individual wellbeing answers stay private to the student. Staff see aggregate trends with small groups suppressed — never a named list of who to watch.

We never train external AI on student data

Student records are not used to train third-party models. AI features process only what staff submit, and that content is not retained for training.

We never hide where data lives

The system of record stays in Australia, and every subprocessor and region is listed openly here in the Trust Centre. No surprises.

Frequently asked questions

What security, privacy, and procurement teams ask us most.

What is HECVAT, and do you have one?

HECVAT is the Higher Education Community Vendor Assessment Toolkit, the security questionnaire many universities run on a new vendor. We maintain pre-filled HECVAT-Lite responses so your review can start straight away.

Are you SOC 2 or ISO 27001 certified?

Not yet, and we won't imply otherwise. Both are on our roadmap. The technical controls those frameworks look for are largely in place today; the independent attestation is what's still ahead.

How do we get your HECVAT responses?

Ask through your contact or procurement and we'll share the HECVAT-Lite self-assessment, along with our security overview, subprocessor list, and incident-response summary, under NDA.

Will you complete our own questionnaire instead?

Yes. If your institution has its own security questionnaire, we'll complete it as part of the assessment.

What are the known gaps?

We're candid about them: no SOC 2 or third-party pen test yet, a DPA being finalised, and no cyber insurance in force. Prod and non-prod separation, previously listed here as a gap, is now in place as of July 2026. Each remaining item is tracked in our risk register and can be a pilot milestone.

See it for your next cohort.

Join the waitlist
 
View the preview
 

Currently meeting with universities.

Product

Platform
Weekly briefings
Wellbeing check-ins
Help inbox
Cohort insights
Student workspace & timetable
Branding & white-label
Writing assistant
Before & after the six weeks
Rolling & staggered intakes

Trust centre

Knowledge Base
Security
Privacy
Data residency
Compliance
Accessibility
Reliability
Legal
Subprocessors
HECVAT
Status

resources

GuidesKnowledge Base

Solutions

Why students leave
Student success & retention
Orientation & transition
Wellbeing & counselling
IT, security & procurement
First-year retention
Belonging & engagement
Early intervention
Support for Students obligation
Leading indicators

Leading Indicators

DVC & PVC Students
Director of Student Experience
Wellbeing & Counselling
IT, Procurement & Privacy
Equity & Inclusion

Company

AboutCareersPress & Media Kit

Contact Us

Join the waitlistContact usReport a bugView preview

Platform Entry

Student platformStaff console
Privacy PolicyTerms of ServiceData Processing AgreementCookie Policy
© 2026 First Six. ACN: 699938817 All rights reserved.

See it for yourself

Walk through First Six the way a commencing student would, then see what their team sees. No sales call, no pitch. Just the real thing.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Book a demo

A short conversation where we walk through First Six against your kind of cohort. Bring your student experience team if it helps.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

See it for yourself

Walk through First Six the way a commencing student would, then see what their team sees. No sales call, no pitch. Just the real thing.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Book a demo

A short conversation where we walk through First Six against your kind of cohort. Bring your student experience team if it helps.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.