How does Hero backup my data?

We treat reliability and security very seriously.

Our databases store information such as accounts, student details, posts, goals, attendance and assessment data and pupil billing. Our databases are hosted on Amazon Web Servers (AWS) and Microsoft Azure servers in Sydney, NSW. These are replicated to separate servers so that redundancy is always maintained. We perform snapshots every day, which are maintained for seven days. We store all files on Azure Blob Storage, which is managed by Microsoft Azure. This is designed to be highly available with a 99.99% uptime guarantee. This data store is configured to be replicated to 3 different servers within the same datacenter, with geo-replication enabled in the event of a localised disaster at our primary datacenter. Outside of this, we run a manual backup process every night with the same storage configuration, that is, locally and geo-replicated to data centres in NSW (AUS) and Victoria (AUS). Our services are stateless, load-balanced, and redundant.

We maintain a public record of uptime for Hero and provide information in the event of an outage at https://linc-ed.statuspage.io/.

Information Security Policy

Expectations

Linc-Technologies, through the Hero product is the custodian of data that is potentially sensitive and is certainly valuable. All reasonable precautions must be taken to prevent data stored in our service is safe, encrypted and strictly controlled.

In all development and product decisions, the central expectation is that security is the first consideration.

Our company must ensure that data is:

  • Confidential: data and information are protected from unauthorized access
  • Intact: Data is intact, complete and accurate
  • Available: Data is available to the appropriate users when needed

Authority and access control policy

There are six levels of access to Hero:

  1. Developers - Access to underlying databases as well as administrative toolset for adding removing schools and data within. Any process that involves the direct editing or removal of school or student must be peer reviewed and backups checked before proceeding.
  2. Linc-Technology administrators - access to all school’s front end UI along with some limited extra functionality that is not exposed to school users.
  3. School Administrators - ability to see data for students enrolled (or formally; or pre enrolled) in their school. Extended ability to edit and delete data for students if required for their role.
  4. School staff - ability to see data for students enrolled (or formally; or pre enrolled) in their school. Ability to edit and delete data for students if required for their role.
  5. Caregivers - ability to view learning artefacts and information about students that they have been given access by the school ONLY. Caregiver access is controlled by the school administrators only. Linc-Technologies are not permitted to allow access to caregivers as a matter of internal policy.
  6. Students - ability to view and share learning and data. ONLY able to view and access their own data.

Sensitive data can be stored in Hero if the school so chooses, this decision is taken by the leadership of the school.

Linc-Technologies operates an internal network that can only be accessed by approved staff or contractors, this does not however provide any access to any data or services as these are all password protected as a separate process.

Data classification

  1. Level 1: Public information - NO public information is housed in Hero, all data sits behind our authentication layer,
  2. Level 2: Data relating to schools themselves, this data is only accessible to authenticated users however it is publically available data such as school website, address etc.
  3. Level 3 - Staff, student and caregiver/ contact information - confidential information that is only accessible to authenticated users in accordance with our access control policy.

Data storage, movement and protection

  1. All data within Hero is encrypted at rest and transported using https
  2. We make extensive use of JWT tokens, which specify which tenant a user has access to. Within all services this is extracted and used to inform all database queries.
  3. We hash and store passwords using OWASP's recommendation of Argon2id

Security awareness training

Yearly security awareness training is carried out for all staff and when new staff members are onboarded. This includes password training, password management tools as well as training on cyber security and latest recommendations.