# LEP — Privacy & Security Compliance Report **Version**: 0.4 · **Issued**: 23 May 2026 · **Vendor**: [Operator Name] · **Contact**: [operator@email] This report is provided for review by school IT, principals, privacy officers, and parents/carers considering LEP for classroom use. It describes what data LEP collects, how it's stored and secured, who can access it, and how the product aligns with the Australian Privacy Principles (APPs) under the *Privacy Act 1988 (Cth)*. LEP is in active development (v0.4). Where compliance posture is partial or under construction, this report says so explicitly — there are no marketing claims about certifications LEP does not hold. --- ## 1. Executive summary | Aspect | Status | |---|---| | Data residency | ✅ Australia (Sydney `syd1` region — see §4) | | Subprocessors | Supabase (data + auth), Vercel (hosting), Google OAuth (optional sign-in) | | Encryption in transit | ✅ TLS 1.2+ enforced end-to-end | | Encryption at rest | ✅ AES-256 (provided by Supabase/Postgres) | | Authentication | ✅ Email/password + optional Google OAuth via Supabase Auth | | Authorisation | ✅ Row-Level Security (RLS) enforced at the database layer | | Surveillance functions (screen / camera / mic / clipboard outside editor) | ❌ Never | | Children's data | ⚠️ Schools must obtain age-appropriate parental consent — see §8 | | Formal PIA | ⚠️ Schools should conduct their own as part of vendor onboarding | | ISO 27001 / SOC 2 | ❌ Not certified at v0.4; Supabase and Vercel hold relevant attestations (see §5) | | Insurance | ⚠️ Operator-specific — confirm with [Operator] before adoption | --- ## 2. Product description LEP (Learning Evidence Platform) is a writing-process capture tool for teachers. Students draft assessments in a focused web editor; LEP captures **behavioural process metadata** (timing, paste events, edit patterns, caret positions) and the student's final draft text. Teachers see a *Process summary* per student to inform conversation about how the work was produced — explicitly **not** an automated cheating detector or similarity score. **What LEP is not:** - Not a plagiarism detector. There is no similarity score, no flagged-as-cheating verdict, no comparison to other students' work. - Not a surveillance tool. LEP does not access screen, camera, microphone, or any browser content outside its own editor window. - Not a generative-AI service. LEP does not send student text to any LLM or AI service. (If the operator chooses to add AI features in future, this disclosure will be updated and schools will be re-notified.) **Intended audience:** Australian primary and secondary schools, including independent, Catholic, and government schools. --- ## 3. Data collected and purpose ### 3.1 Personal information | Field | Source | Purpose | Optional? | |---|---|---|---| | Email address | Sign-up form | Auth, account recovery | Required | | Display name | Sign-up / onboarding | Identifying student to teacher | Required | | Role (teacher / student) | Sign-up flow | Authorisation | Required | | Hashed password | Sign-up form | Auth | Required if not using OAuth | | Google OAuth identity | OAuth provider | Auth (alternative to password) | Optional | LEP does **not** collect: date of birth, government identifier (e.g. USI), phone number, address, school ID, parent contact details, or photographs. ### 3.2 Behavioural process events (per writing session) Stored in the `events` table; one row per captured event. | Field | Description | Used for | |---|---|---| | `occurred_at` | Server timestamp of the event | Session reconstruction | | `type` | `insert`, `delete`, or `paste` | Activity classification | | `delta_chars` | Number of characters added/removed in the transaction | Active-time + burst detection | | `word_count` | Document word count *after* the change | Growth chart | | `caret_pos` | Caret offset in the document | Locating bursts/pastes in the draft | | `paste_words`, `paste_start_offset`, `paste_end_offset`, `paste_source_url` | Paste metadata | Identifying which part of the draft was pasted, and where it came from when the browser exposes it | | `paste_content` | **First 2000 characters** of the pasted text (truncated; never the entire paste) | Letting the teacher read what was pasted and have an informed conversation | LEP **does not** record individual keystrokes, mouse movements, focus changes, browser tab switches, clipboard activity outside paste-into-editor, or any content from other browser tabs or applications. ### 3.3 Document content Stored in the `documents.content` column. | Field | Description | |---|---| | `content` | The student's draft HTML body, up to ~200,000 characters per document | This is the actual essay text. It is stored so that (a) students can resume writing on another device and (b) teachers can read the work alongside the process report. This was a deliberate design change disclosed in the onboarding modal shown to every student on first use. ### 3.4 No data collected LEP **does not collect or process**: - Screen contents outside the editor window - Webcam or microphone input - Browser history, bookmarks, tabs other than the active LEP tab - Geolocation - Device fingerprints (UA string is logged for security only; not used for analytics or marketing) - IP address beyond what is needed for rate-limiting and standard server logs - Sensitive information as defined under APP 3 (e.g. racial origin, political opinion, religious beliefs, health information) - Biometric data - Information about parents or non-enrolled persons --- ## 4. Data storage, residency, and security ### 4.1 Residency All student and teacher data is stored in **Australia (Sydney)** via Supabase's `syd1` region. The application server (hosted on Vercel) is also configured to run in `syd1` (see `vercel.json`). No data is transferred outside Australia in normal operation. **Exception**: Google OAuth sign-in (optional) requires brief contact with Google's identity infrastructure. Google handles this in compliance with its own published privacy notices. Schools that do not want Google OAuth should instruct students to use email/password sign-up only. ### 4.2 Encryption - **In transit**: TLS 1.2 or later, enforced on all routes. Insecure HTTP redirects to HTTPS. - **At rest**: Database encryption at rest is provided by Supabase's underlying infrastructure (AES-256). Encryption keys are managed by Supabase / AWS. ### 4.3 Access controls LEP enforces access at three layers: 1. **Authentication** — Supabase Auth issues JWTs after password or OAuth sign-in. Sessions expire and require re-authentication. 2. **Authorisation (Row-Level Security)** — every table has RLS policies enforced by Postgres: - Students can read/write only documents where `student_id = auth.uid()`. - Teachers can read events and documents only for assignments where `teacher_id = auth.uid()`. - Nobody can update or delete events (append-only audit log). 3. **Application-layer checks** — API routes also verify ownership before any DB write, layered defense in depth. The `SUPABASE_SERVICE_ROLE_KEY` (which bypasses RLS) is held only in server-side environment variables, never sent to client browsers, never committed to source control. ### 4.4 Rate limiting and abuse protection - Per-user event API: 600 events/min - Per-document event API: 50 000 events/min - Failed sign-in attempts: standard Supabase Auth throttling (15 attempts / hour / IP) ### 4.5 Audit logging - Every event write is logged with `userId`, `documentId`, and event count (no content) - Auth events are logged by Supabase Auth (separate audit log accessible to the operator) - Failed authorisation attempts are logged with `userId` and the resource attempted --- ## 5. Subprocessors LEP relies on the following third-party processors. Each holds their own compliance attestations relevant to the data they handle. | Subprocessor | Role | Data handled | Region | Relevant attestations | |---|---|---|---|---| | Supabase | Database + authentication | All application data (profiles, documents, events) | AWS `ap-southeast-2` (Sydney) | SOC 2 Type 2, HIPAA-aligned controls (Supabase Inc.) | | Vercel | Application hosting | Request routing, edge caching, build logs | Vercel edge — `syd1` region pinned for compute | SOC 2 Type 2, ISO 27001 (Vercel Inc.) | | Google (OAuth) | Optional sign-in identity provider | Email address, OAuth refresh token | Google global | ISO 27001/27017/27018, SOC 2/3 | Schools should review the linked attestation evidence for each subprocessor as part of their own due diligence. LEP does **not** use any generative-AI vendor (no OpenAI, Anthropic, Google Gemini, etc.) at v0.4. --- ## 6. Compliance mapping (Australian Privacy Principles) | APP | Requirement | LEP posture | |---|---|---| | APP 1 — Open management | Have a privacy policy | This document + the in-app Onboarding Modal serves as the privacy notice to students at first use. A consumer-facing privacy policy should be hosted on the public website before launch. **TODO (operator).** | | APP 2 — Anonymity / pseudonymity | Where lawful and practicable | Students may use a pseudonymous email and display name. Their school may require real names; LEP does not enforce either way. | | APP 3 — Collection of personal information | Only what is reasonably necessary | LEP collects only the fields in §3.1–3.3. No sensitive information per APP 3.3. | | APP 4 — Unsolicited information | Not applicable — LEP only collects via active user input. | | APP 5 — Notification of collection | At or before collection | The onboarding modal is shown to every student on first sign-in and lists what is captured vs. not. The two-column layout makes the disclosure clear. | | APP 6 — Use or disclosure | Only for the primary purpose | LEP uses data only for: (a) showing the student their own work, (b) showing the teacher process summaries for their own students, (c) operational logging. No secondary use, no sale, no advertising. | | APP 7 — Direct marketing | Not undertaken | LEP does not send marketing communications. | | APP 8 — Cross-border disclosure | Disclosure to overseas recipients requires safeguards | Data is held in Australia. Limited contact with Google OAuth (if used) is the only cross-border touchpoint; users can avoid this by using email/password. | | APP 9 — Government identifiers | Not adopted | LEP does not collect or use government identifiers (USI, Medicare, etc.). | | APP 10 — Quality of personal information | Take reasonable steps | Data is captured directly from user actions; the user is the source of truth. Users can request correction (§9). | | APP 11 — Security | Take reasonable steps to protect | See §4. Combine with §10 (incident response). | | APP 12 — Access | Individuals can request access | Students see their own data directly in the app. Formal access requests should go to [operator@email]. | | APP 13 — Correction | Individuals can request correction | Same channel as APP 12. | --- ## 7. Children's privacy LEP is designed to be used by school students, who are predominantly minors. While the Australian Privacy Act does not set a hard age threshold, the OAIC's guidance is that consent for under-15s should generally come from a parent or guardian, and that schools have a duty of care. **LEP requires the adopting school to:** 1. Obtain parental/carer consent in line with the school's existing consent processes before enrolling students in LEP. 2. Provide an age-appropriate explanation of what LEP captures (the in-app onboarding modal is the second line of disclosure, not the first). 3. Designate a school staff member as the contact for any student-data questions or requests. LEP does **not** rely on student self-attestation of age, and does not target advertising at any user. --- ## 8. Data retention and deletion | Data | Retention | Deletion trigger | |---|---|---| | Account (`profiles`) | Lifetime of the account | User sign-out + deletion request OR teacher closes the assignment + retention sweep | | Documents (drafts + events) | Up to 12 months by default; configurable per deployment | Configurable retention cron at `/api/cron/retention` | | Server access logs | 30 days | Automatic rotation | | Supabase auth logs | 90 days | Supabase default | Students or their parent/guardian may request immediate deletion of their account and all associated data by emailing [operator@email]. Deletion is processed within 30 days and confirmed via email. --- ## 9. User rights Users (or their parents/guardians, for minors) have the right to: - **Access** their data (APP 12) — students see their own data in-app; teachers see only their assigned students; bulk export available on request - **Correct** their data (APP 13) - **Withdraw consent** and have their data deleted - **Lodge a complaint** with [operator@email] or the [Office of the Australian Information Commissioner](https://www.oaic.gov.au/) Requests are processed within 30 days. Identity verification may be required before processing. --- ## 10. Incident response and breach notification LEP follows the **Notifiable Data Breaches (NDB) scheme** under Part IIIC of the Privacy Act. If an eligible data breach occurs: 1. The operator [Operator Name] will assess the breach within 30 days 2. If serious harm is likely, affected users will be notified directly (typically via the email registered to their account) 3. The OAIC will be notified via the prescribed form 4. The adopting school will be notified within 24 hours of breach identification, regardless of NDB classification, so the school can fulfil its own obligations Operator contact for incident reports: **[operator@email]** --- ## 11. Audit, logging, and monitoring - All authentication events are logged by Supabase Auth - All API requests are logged with timestamp, user, route, and status (no payload content) - Failed authorisation attempts are flagged for review - The operator retains and reviews logs as part of routine operations Logs are available to the operator's designated security contact and are not shared with third parties. --- ## 12. Open items / posture roadmap Honest disclosure of work-in-progress items relevant to compliance: | Item | Current state | Target | |---|---|---| | Public-facing privacy policy URL | Not yet published | Before first school launch | | Formal Privacy Impact Assessment | Not yet conducted | Recommended for any government school adoption | | SOC 2 / ISO 27001 audit of LEP itself | Not held | Long-term — subprocessor attestations provide layered assurance in the interim | | Cyber insurance | Operator to confirm | Before commercial scale | | Penetration test | Not yet conducted | Recommended before commercial launch | | Data Processing Agreement (DPA) template | Available on request | Will be standard template by v1.0 | Schools should treat the items above as part of their own go/no-go decision. --- ## 13. Operator contact **Operator name**: [TO COMPLETE] **Contact email**: [TO COMPLETE] **Postal address**: [TO COMPLETE — required for NDB scheme] **ABN** (if registered business): [TO COMPLETE] --- ## 14. Document control | Version | Date | Changes | |---|---|---| | 0.4 | 2026-05-23 | Initial compliance report | Schools adopting LEP should request the current version of this document at least annually and at each major version release. --- *This document is provided for transparency and to support a school's own due-diligence process. It is not legal advice. Schools should obtain independent legal and privacy advice as part of their vendor onboarding.*