Acrux Education
Legal documentation

Policy documents.

All Acrux Education policy documents in one place.

Acrux Education Pty Ltd · Version: 1.0 · Effective: December 2025

Information Security Policy

Effective Date: December 2025
Review Date: December 2027

1. Purpose

This policy establishes the information security requirements for Acrux Education to protect the confidentiality, integrity, and availability of data entrusted to us by schools, students, and educators.

2. Scope

This policy applies to all Acrux Education systems, data, personnel, and contractors who access company information assets.

3. Infrastructure Security

3.1 Cloud Platform

Acrux Education operates exclusively on Google Cloud Platform (GCP) with the following security controls:

  • Region Isolation: Separate deployments per region to ensure data sovereignty

    • Australia: australia-southeast1 (Sydney)

    • Singapore: asia-southeast1

    • United Kingdom: europe-west2 (planned)

  • Data Residency: Customer data remains within its originating region and is not transferred across jurisdictions

  • Australian Data: Stored and processed exclusively in Sydney to comply with Australian Privacy Principles

3.2 Network Security

  • All database instances use private IP only with no public internet exposure

  • Database connectivity via VPC connector - no external access permitted

  • SSL/TLS encryption required for all database connections (ssl_mode = "ENCRYPTED_ONLY")

  • Firewalls configured at cloud infrastructure boundaries

3.3 Encryption

  • Data in Transit: All data encrypted using TLS 1.2 or higher

  • Data at Rest: All stored data encrypted using GCP's default encryption (AES-256)

  • Database: Cloud SQL with enforced SSL connections

4. Access Control

4.1 User Authentication

All platform users must authenticate using:

  • Email and password combination

  • Passwords must meet the following requirements:

    • Minimum 14 characters

    • Cannot be similar to username, email, or name

    • Cannot be a commonly used password

    • Cannot be entirely numeric

4.2 Session Management

  • Access tokens expire after 60 minutes of inactivity

  • Refresh tokens expire after 4 hours (production environment)

  • Session warning displayed 10 minutes before expiry

  • Rate limiting on password reset requests (5 per hour)

4.3 Staff Access

  • All Acrux Education staff require Multi-Factor Authentication (MFA) for system access

  • Access privileges are role-based and follow the principle of least privilege

  • Unique credentials required for all user and administrator accounts

  • Account access removed immediately upon termination of employment

4.4 Password Policy for Staff Systems

Staff and administrator passwords must:

  • Be unique to Acrux Education systems

  • Be changed if compromise is suspected

  • Not be shared with any other person

  • Comply with platform password requirements

5. Data Protection

5.1 Data Classification

All customer data is classified as confidential and handled accordingly.

5.2 Data Handling

  • Customer data is only accessed for service delivery and support purposes

  • No customer data is used for advertising or marketing purposes

  • Test environments use separate, non-production data

  • Development and production environments are completely isolated (separate GCP projects)

5.3 Third-Party Services

  • All third-party cloud services are assessed for security compliance

  • Third parties with access to customer data are contractually bound to data protection requirements

  • A register of third-party services is maintained and reviewed regularly

6. Monitoring & Incident Response

6.1 Monitoring

Acrux Education maintains comprehensive monitoring including:

  • GCP native monitoring and alerting

  • Sentry application error tracking

  • Internal monitoring dashboards

  • Automated alerting for security events

6.2 Incident Response

In the event of a security incident:

  1. Incident is logged and assessed for severity

  2. Immediate containment actions are taken

  3. Affected customers are notified as required by law

  4. Root cause analysis is conducted

  5. Preventive measures are implemented

6.3 Vulnerability Management

  • Regular vulnerability assessments are conducted

  • High-risk and critical security updates are applied within 14 days of release

  • Default passwords are changed on all infrastructure devices

7. Physical Security

  • All infrastructure is hosted in GCP data centres which maintain SOC 2, ISO 27001, and other certifications

  • No customer data is stored on local devices or portable media

  • Staff devices with access to systems are encrypted

8. Training & Awareness

  • All staff receive data protection training upon onboarding

  • Cyber security awareness training is conducted annually

  • Policy awareness is reinforced through regular communications

9. Policy Review

This policy is reviewed annually or following any significant security incident or change to operations.

Contact for Security Enquiries:
Email: [email protected]
Website: https://www.acrux.education