Roadmap
This is where First Six is heading. It is organised by horizon rather than by date — "in progress", "next", and "exploring" — because honest direction is more useful than a calendar we would only have to walk back. Items move up the list as they get closer, and shipped work moves off it and into the changelog.
This is a direction, not a contract. Nothing here is a dated commitment, and the order can change as pilots tell us what matters most. Where a security or compliance item below affects a procurement decision, we're happy to write it into an agreement as a milestone — see HECVAT and vendor security reviews.
In progress
Work that is actively underway.
- SAML federation — the production sign-in path is OIDC, live with Microsoft Entra. A SAML proof-of-concept exists; converging a real SAML-federated institution onto the same identity-linking path is the work in flight. Raise it early if SAML is a hard requirement. See the OIDC flow.
- Data Processing Agreement — being finalised with counsel so it's ready to sign rather than draft from scratch per institution.
- Production / non-production separation — a known gap (development currently shares the production data project), with remediation planned and tracked in our risk register. Named openly in our vendor security responses.
- Content-Security-Policy enforcement — a nonce-based CSP runs in report-only today; moving it to enforcing after the violation review.
Next
Scoped and expected to start once the in-progress work lands.
- SOC 2 readiness, then attestation — the technical controls a SOC 2 looks for are largely in place; the work ahead is the formal readiness program and an independent audit.
- Independent penetration test — a third-party test we're happy to make a contractual condition of a pilot.
- Formal accessibility audit and VPAT — today's WCAG 2.1 AA conformance is a self-assessment; a formal audit and a published VPAT are the next step. See our accessibility commitment.
- Outbound webhooks and programmatic export — there's no public event feed yet; a documented way to get data out is planned. The current options are in webhooks.
Exploring
Directions we think are right but haven't fully scoped. Less certain, and more likely to change shape.
- ISO 27001 — a natural companion to SOC 2 once that program is mature.
- Deeper SIS automation — reducing the manual steps in keeping rosters in sync. See SIS sync.
- Semantic search across this knowledge base — finding the right article by meaning, not just keyword.
What shapes this list
Two things move items up. The first is safety and trust — anything that protects student data or makes an institution's review faster tends to jump the queue. The second is what pilots ask for: real usage beats our guesses about priority, so the list bends toward what customers actually hit.
What you won't find here are features that overstate what the product does — individual-student prediction, causal claims about retention, or anything that positions First Six as a replacement for professional support. Those aren't "later", they're deliberate non-goals.
Common questions
Do these items have dates?
No, and on purpose. The horizons — in progress, next, exploring — reflect how close something is, not a promised quarter. For a security or compliance item that affects your decision, we can commit to it as a milestone in an agreement.
How do I request something that isn't here?
Tell us through your usual First Six contact, or the feedback link in the product. Requests that show up across multiple institutions are the ones most likely to move up.
Where do I see what's already shipped?
In the changelog, newest first. When something on this page ships, it moves off the roadmap and earns a dated changelog entry.
Related
The fastest answer is usually one question away.