We know schools have a duty of care around student information. Here's exactly how we protect it — in plain language, not legal jargon.
All data hosted on Microsoft Azure, Australia East (Sydney). Never leaves Australian soil.
All data encrypted at rest using AES-256. All data in transit protected by TLS 1.2+.
Fully compliant with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).
We do not sell, share, or monetise student data in any way. No ads. No data brokers. Ever.
Automated daily backups with 30-day retention. Disaster recovery tested regularly.
Your school owns its data. AchievoEDU acts as data processor only. You can export or delete at any time.
AchievoEDU is hosted exclusively on Microsoft Azure Australia East (Sydney). Your student data never leaves Australian jurisdiction — not for backups, not for processing, not for anything.
This matters for schools in states where education departments have specific data sovereignty requirements (including DET Victoria, QDET, and NSW DoE guidance on student privacy).
Microsoft Azure holds ISO 27001 certification and complies with the Australian Signals Directorate (ASD) Essential Eight framework — meaning your data sits in infrastructure that is independently audited to the highest Australian government standards.
All database records, files, and backups are encrypted using AES-256 — the same standard used by banks and government departments. Encryption keys are managed by Azure Key Vault and rotated automatically.
Every connection between your browser, mobile app, and our servers is encrypted using TLS 1.2 or higher. Older, insecure protocol versions are disabled. HTTP connections are automatically redirected to HTTPS.
All user sessions are authenticated using short-lived JWT tokens. Passwords are hashed using bcrypt with a high work factor. Role-based access control ensures students, teachers, parents, and admins only see what they're permitted to.
AchievoEDU undergoes regular security testing against the OWASP Top 10 vulnerabilities — including injection attacks, broken authentication, XSS, and insecure data exposure. Findings are remediated before deployment.
Automated daily backups with a 30-day retention window. Backups are encrypted, geographically separated within Australia East, and tested for restore integrity. Point-in-time recovery is available for all databases.
All significant system events — logins, data exports, admin actions — are written to an immutable audit log. School administrators can request access logs at any time. Logs are retained for a minimum of 12 months.
AchievoEDU is designed to comply with the Australian Privacy Act 1988 and all 13 Australian Privacy Principles (APPs). We act as a data processor on behalf of your school (the data controller) and follow your instructions regarding student data.
APP 1 — Open & transparent: This page and our Privacy Policy describe exactly how we handle data.
APP 6 — Use & disclosure: Student data is used only to operate the platform for your school. No secondary purposes.
APP 8 — Cross-border disclosure: Data is never transferred offshore. Full stop.
APP 11 — Security of personal information: AES-256, TLS 1.2+, role-based access controls, and regular testing.
APP 12 — Access to personal information: Schools and individuals can request access to their data at any time.
Request a full export of all your school's data at any time — students, points history, badges, reports. Delivered within 5 business days.
Request deletion of all school data — including backups — upon subscription termination. Completed within 30 days with written confirmation.
Contact our privacy team directly at privacy@achievoedu.com.au — we respond within 2 business days.
AchievoEDU doesn't ask for sensitive information it doesn't need to operate.
All student-generated content (shout-outs, student voice, gratitude wall) passes through a profanity filter before appearing on screen.
A dedicated anonymous reporting tool lets students report bullying or safety concerns directly to pastoral staff — with emergency escalation for high-risk disclosures.
Daily wellbeing check-ins give pastoral teams early visibility of students who may be struggling — enabling timely intervention before issues escalate.
Administrators can review, hide, or delete any student content. Teachers can moderate their class feeds. Nothing goes live without platform-level content safety checks.
We're happy to provide a Data Processing Agreement (DPA), answer questions from your IT department, or provide documentation for your school's procurement process.
Contact privacy@achievoedu.com.au