Cybersecurity and privacy — your handover
You are on the institution's cybersecurity, risk, or data-protection team — running vendor assessment, reviewing the privacy posture, or owning the breach process at your end. This document is the evidence checklist for the pre-go-live review.
What's already done for you
The evidence pack First Six ships with the handover covers, end to end:
- HECVAT-Lite self-assessment — pre-filled, honest about gaps, in the HECVAT article.
- Full HECVAT internal self-audit (control gap analysis with 17 ranked findings) — provided on request under your NDA.
- Subprocessor list — the verified inventory of every third party that may touch institutional data, with region, payload, and DPA status: Subprocessors.
- Data residency — primary database in Sydney, AWS
ap-southeast-2. Confirmed live, not just claimed: Data residency. - Breach response runbook — AU NDB decision tree, GDPR 72h, FERPA, with templates and a 30-minute containment runbook: Breach response.
- Append-only audit log — staff actions are logged to a database table where UPDATE and DELETE are revoked from every role, including the service role, by trigger. Admin-only read.
- Row-Level Security on every app-owned table. Tables that need
direct PostgREST reads carry per-row policies; tables that are only
reachable through
SECURITY DEFINERRPCs are deny-by-default (RLS on + no policy + anon/authenticated grants revoked). - Daily security CI — a GitHub Actions workflow that fails the build on any new RLS regression, anon grant regression, schema drift, or storage-policy regression.
- PII scrubbing — error telemetry to Sentry runs through a scrubber that strips cookies, auth headers, request bodies, the user object, and regex-redacts email-shaped strings. Session replay is deliberately disabled.
The evidence is real and verifiable in code; we encourage you to ask for the audit's confidence labels rather than take the summaries at face value.
Your verification checklist
Be open about gaps rather than surprised by them later. As of this
handover, First Six does not have: SOC 2 Type II, ISO 27001, an
executed cyber-insurance policy, a third-party penetration test, an
externally-validated VPAT / accessibility audit, or a paid-tier
Supabase plan with point-in-time recovery (planned). These are all
tracked in the full audit and in docs/RISK_REGISTER.md. We'd rather
you know than discover.
Ongoing posture
Related
The fastest answer is usually one question away.