Skip to content
Open the app

Security posture

1 min read

This is the plain-language version of how First Six handles security. The deeper, institution-facing detail lives in data residency and isolation; this page is the quick reference and the place to start if you have found a problem.

Reporting a vulnerability

Email security@firstsix.com.au with a description, the impact, steps to reproduce, and any affected URL or account. Please do not open a public issue for a security report.

We acknowledge within two business days and triage within five. Good-faith research under this policy will not be pursued legally, and we credit reporters who want to be named once a fix has shipped.

Please avoid testing against real student accounts or live welfare data; use the demo personas or a local instance instead.

The posture in brief

  • Encryption. TLS in transit with HSTS, encryption at rest, and a baseline set of security headers on every response.
  • Tenant isolation. Row-level security keys every query to one institution, so a cross-tenant read is structurally impossible from an app client.
  • Audit log. Every staff write, and sensitive reads, are recorded immutably.
  • Diagnostics with the personal data stripped. Error monitoring scrubs names, emails, and message bodies before anything leaves the app, and session replays mask all text and inputs.

Continuous deployment

First Six ships continuously from main, so only the currently deployed revision is supported. There are no long-lived release branches to patch.

Was this helpful?
Need more help?

The fastest answer is usually one question away.

Edit this page on GitHub