Security You Can Trust With Student Data

ICAPsensus was built from day one with multi-tenant isolation, encrypted data, and defence-in-depth as non-negotiable requirements.

3-Layer Security Architecture

Application Layer

Every service function requires an authenticated context. School ID, user ID, and role are validated on every request. No shortcuts.

Session Layer

Each database transaction sets Postgres GUC variables for school_id, user_id, and role. These clear automatically on commit — no data leakage between requests.

Database Layer

Row-Level Security is enforced at the Postgres level on every multi-tenant table. Even a compromised application cannot read another school's data.

Security Features

Supabase Auth — JWT-based authentication
Postgres Row-Level Security on all tables
HTTPS everywhere — TLS 1.3
Stripe-handled card data — PCI compliant
Full audit log of every data change
Role-based access (admin, staff, parent)
Data hosted in Australia (ap-southeast-2)
No third-party tracking on student pages

Our Commitments

Tenant isolation is our top priority. Cross-school data leakage is treated as a critical bug, not an edge case. We have RLS integration tests that explicitly verify cross-tenant reads and writes fail.

We never sell or share student data with third parties. Your school’s data is yours.

Medical data is treated as sensitive throughout — restricted to authorised staff only, logged on every access.

Questions about security or compliance?

Proudly developed by