Data Security and Privacy

    Security & Privacy
    Updated Apr 8, 2026
    2 min read

    How ReportRocket protects student data with Australian-hosted servers, end-to-end encryption, strict row-level security, and privacy compliance.

    Our Commitment

    ReportRocket is built by Australians, for Australian schools. We take student data privacy extremely seriously.

    Australian Data Hosting

    All data is hosted in Australia (AWS Sydney region). Your data never leaves Australian shores.

    Why This Matters

    • Complies with Australian privacy law
    • Subject to Australian jurisdiction
    • No international data transfers
    • Faster performance for Australian users

    Encryption

    In Transit

    All connections use TLS 1.3 – the same encryption banks use.

    At Rest

    Stored data is encrypted using AES-256, the government-grade encryption standard.

    Access Control

    Row Level Security (RLS)

    Every database query is filtered to ensure:

    • Teachers only see their own students
    • Schools only see their own data
    • Reviewers only see assigned packs
    • No cross-account data leakage

    Authentication

    • Email-based sign-in with verification
    • Secure session management
    • Automatic logout on inactivity

    What We Don't Do

    ❌ Share student data with third parties

    ❌ Use student data for AI training

    ❌ Sell any user data

    ❌ Store data outside Australia

    ❌ Access your data without permission

    Comment Generation Processing

    When you generate comments:

    • Data is processed via Google Gemini (Google AI API)
    • Google does not use API-submitted data to train its models
    • Student data is transient and not retained
    • Processing happens in real-time only

    Admin Access

    ReportRocket staff can only access your data:

    • With explicit permission
    • For technical support purposes
    • Logged and auditable

    School Admin Access

    For school licences:

    • School admins have full access to classes, teachers, and student report comments across the school
    • Admins can generate and edit comments for quality assurance and oversight
    • All admin actions are logged in the Activity tab for accountability

    Data Retention

    • Active accounts: Data stored indefinitely
    • Deleted accounts: Data permanently removed
    • Inactive accounts: No automatic deletion

    Compliance

    We follow:

    • Australian Privacy Principles (APPs)
    • State education department guidelines
    • AITSL privacy frameworks

    Incident Response

    In the unlikely event of a data incident:

    1. Immediate containment
    2. Affected users notified within 72 hours
    3. Full investigation and remediation
    4. Transparent communication

    Questions?

    Have specific privacy questions? Contact us – we're happy to discuss your school's requirements.

    Next Steps

    Tags:
    security
    privacy
    encryption
    data
    hosting

    Was this article helpful?

    Back to Security & Privacy