Security & Data Handling
This page explains, in plain terms, how we protect your data in the EasyStagecraft Suite — EasyOrchestra, EasyInventory, EasyScheduler, EasyRisk and the ESC Course platform. It's written so a teacher, a business manager, or a school IT lead can all satisfy themselves the Suite is safe to use.
Our whole approach rests on one idea: hold as little personal data as possible. The only personal information we need to run your account is your email address. Everything else is the production content you create — stage plans, inventory, schedules, risk records — which is operational, not personal profiling data.
On this page
1Data minimisation by design
We can't lose what we never collect. By default the only personal information we store is your email address (your account identifier) and, on paid plans, a Stripe customer ID that links your account to your subscription.
| Data | Stored? | Where |
|---|---|---|
| Email address | Yes — account identifier | Cloudflare KV, scoped to your account |
| Password (only if you set one) | As a salted hash only | Cloudflare KV — never plain text, never logged |
| Stripe customer ID (paid plans) | Yes — a reference | Cloudflare KV; the billing record itself lives at Stripe |
| Card / payment details | No | Entered directly into Stripe — never touches our systems |
| Student names / records, health, IDs (TFN/USI/Medicare) | No — not required, not collected by default | — |
| Production content (layouts, inventory, schedules, risk records, item photos) | Yes — to run the app | Your own account's Cloudflare storage |
You may use an alias or relay email (for example Apple Hide My Email). We don't require your real name, role, or organisation to use the product.
2Hosting & data residency
The Suite runs entirely on the Cloudflare platform — Pages for app delivery, Workers for compute, KV for storage, R2 for backups. For Australian users, traffic is served from Cloudflare's Australian edge locations (Sydney, Melbourne, Perth) by default.
Cloudflare KV is globally replicated for reliability, so some data may be processed outside Australia. Cloudflare maintains SOC 2 Type II, ISO 27001, ISO 27701 and PCI DSS attestations — protection widely treated as substantially equivalent to the Australian Privacy Principles for cross-border disclosure (APP 8). If your organisation requires strict Australia-only residency as a precondition for use, contact us — we can discuss Cloudflare regional configuration.
3Encryption
- In transit: all traffic is TLS 1.3 over HTTPS, with HSTS.
- At rest: Cloudflare encrypts all stored values, including the photos you capture in EasyInventory.
- Hardening: we set a Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and a Permissions-Policy that locks off camera, microphone, geolocation, payment and USB at the browser level.
- Payments: handled entirely by Stripe (PCI DSS Level 1). We never see or store your card number or CVC.
4Authentication & access
Two ways to sign in:
- Magic-link (default): enter your email, click the one-time link we send. The link is short-lived. Because it depends on access to your inbox — which at most schools is itself protected by MFA — it inherently gives you a "something you have" factor.
- Password (optional): once signed in, you can set a password for instant returning sign-in. Passwords are hashed with PBKDF2-SHA256 (600,000 iterations, 32-byte random salt) — the OWASP 2023 baseline — verified in constant time, rate-limited, and never logged. Magic-link always remains available as a recovery path, so you can't get locked out.
Access model: an account owner can invite team members who share the owner's workspace (so the crew sees the same layouts, schedules and inventory) but can't manage billing or remove the owner. EasyScheduler share-links are read-only, gated by an unguessable token, and revocable. Every mutating action — sign-ins, password changes, deletions, team changes — is recorded in a security audit log with 13-month retention.
5Essential Eight alignment
We target the Australian Cyber Security Centre's Essential Eight Maturity Level 1, with a documented path to ML2 as we grow.
| Strategy | How we do it | Status |
|---|---|---|
| Application control | Cloudflare WAF; allow-listed script sources via CSP; signed deploys | Live |
| Patch applications | Dependency review on every change; critical patches within 48h of advisory | Live |
| User application hardening | CSP, HSTS, anti-clickjacking and locked-down browser permissions | Live |
| Restrict admin privileges | Owner/team role separation; billing handled by Stripe Portal | Live |
| Patch operating systems | Inherited — Cloudflare's managed runtime is patched by the platform | Live |
| Multi-factor authentication | Magic-link inherits your email provider's MFA; optional password path with rate-limiting | Live |
| Regular backups | Durable Cloudflare KV + daily JSON exports to R2, 30-day retention, restore-tested | Live |
| Office macro hardening | N/A — browser SaaS, no macro surface | N/A |
6Sub-processors
We share data only with the small set of providers needed to run the service. We do not sell your data and do not disclose it for advertising.
| Provider | Function | What it sees |
|---|---|---|
| Cloudflare, Inc. | Hosting, storage, edge delivery, security | Your email and the content you store |
| Stripe (Stripe Payments Australia Pty Ltd) | Subscription billing & payments | Your email and payment method (card data never touches us) |
| Google (Workspace / Gmail API) | Sends transactional email (sign-in links, receipts) | Your email address and that email's content |
| SafeWork NSW (EasyRisk only) | Real-time licence verification | The licence number you provide |
If we add a new provider that processes customer-identifiable data, we update our published sub-processor list and notify active account holders before activation.
7Breach response (Notifiable Data Breaches)
We run security monitoring (Cloudflare WAF, Worker error logs, an audit trail) and a documented incident-response runbook. If a breach is likely to cause serious harm, we comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) — assessing the breach and notifying the OAIC and affected individuals as required.
We aim to notify affected account holders within 72 hours of becoming aware of a confirmed breach affecting their data, by email and on our status channel. Where a breach touches data a school also holds (such as a teacher's account email), we'll support the school's own notification obligations with technical detail.
8Export & deletion — you stay in control
- Export (APP 12): download all your account data as a file from your account portal at any time.
- Self-service deletion (APP 11): delete your account and all associated content — layouts, inventory, schedules, risk records, sessions, trusted-device records — from the portal. We return a deletion confirmation.
- On request: you, or a school on your behalf, can email us to action a verified deletion request promptly.
- Backups age out on a ~30-day rolling cycle after deletion.
- Stripe billing records are retained by Stripe to meet its own legal/tax obligations (commonly up to 7 years in AU); we provide a template to request Stripe-side erasure where the law permits.
9Schools & child safety
The Suite is a teacher-and-crew production tool, not a student information system.
We align with the eSafety Commissioner's Basic Online Safety Expectations under the Online Safety Act 2021 (Cth): no public user-generated content, no social or messaging features, no cross-app tracking. For school IT teams, we publish a detailed Vendor IT Confidence brief mapping the Suite against the Australian Privacy Principles, the Notifiable Data Breaches scheme, the ACSC Essential Eight, and the Safer Technologies for Schools (ST4S v2025.1) framework — request it at the contact below. See also our Privacy Policy.
10Honest gaps — what we don't do yet
The most useful part of any security page is the honest one. We'd rather you read this here than discover it later.
| Item | Status |
|---|---|
| ST4S formal assessment + badge | In prep Internal readiness check done; formal submission targeted Q3 2026. We don't hold the badge yet. |
| Independent penetration test | Planned Scheduled as we scale; the low-PII surface keeps the risk proportionate in the meantime. |
| SAML / OIDC single sign-on | Roadmap Magic-link + password cover the self-serve case today; SSO prioritised if a school cohort needs it. |
| Multi-operator on-call rotation | Solo today Currently a solo operator with a documented runbook; honestly disclosed. |
| Cyber-liability insurance | Risk-matched Not currently held given the low-PII surface; procured if a customer's policy requires it as a precondition for use. |
11Report a security issue
If you believe you've found a vulnerability, or have any security or privacy question, please contact us — we read these directly and respond.
- Email: [email protected]
- Operator: Gosling Productions · ABN 50 767 719 891 · Melbourne, Victoria, Australia
See also our Privacy Policy and Terms of Service.