Skip to content
Open the app

Cybersecurity and privacy — your handover

You are on the institution's cybersecurity, risk, or data-protection team — running vendor assessment, reviewing the privacy posture, or owning the breach process at your end. This document is the evidence checklist for the pre-go-live review.

Your progress0 of 0 tasks

What's already done for you

The evidence pack First Six ships with the handover covers, end to end:

  • HECVAT-Lite self-assessment — pre-filled, honest about gaps, in the HECVAT article.
  • Full HECVAT internal self-audit (control gap analysis with 17 ranked findings) — provided on request under your NDA.
  • Subprocessor list — the verified inventory of every third party that may touch institutional data, with region, payload, and DPA status: Subprocessors.
  • Data residency — primary database in Sydney, AWS ap-southeast-2. Confirmed live, not just claimed: Data residency.
  • Breach response runbook — AU NDB decision tree, GDPR 72h, FERPA, with templates and a 30-minute containment runbook: Breach response.
  • Append-only audit log — staff actions are logged to a database table where UPDATE and DELETE are revoked from every role, including the service role, by trigger. Admin-only read.
  • Row-Level Security on every app-owned table. Tables that need direct PostgREST reads carry per-row policies; tables that are only reachable through SECURITY DEFINER RPCs are deny-by-default (RLS on + no policy + anon/authenticated grants revoked).
  • Daily security CI — a GitHub Actions workflow that fails the build on any new RLS regression, anon grant regression, schema drift, or storage-policy regression.
  • PII scrubbing — error telemetry to Sentry runs through a scrubber that strips cookies, auth headers, request bodies, the user object, and regex-redacts email-shaped strings. Session replay is deliberately disabled.

The evidence is real and verifiable in code; we encourage you to ask for the audit's confidence labels rather than take the summaries at face value.

Your verification checklist

Things that aren't here yet

Be open about gaps rather than surprised by them later. As of this handover, First Six does not have: SOC 2 Type II, ISO 27001, an executed cyber-insurance policy, a third-party penetration test, an externally-validated VPAT / accessibility audit, or a paid-tier Supabase plan with point-in-time recovery (planned). These are all tracked in the full audit and in docs/RISK_REGISTER.md. We'd rather you know than discover.

Ongoing posture

Was this helpful?
Need more help?

The fastest answer is usually one question away.

Edit this page on GitHub