Your Trust Is Our Foundation

Enterprise-Grade Infrastructure

AWS Australia Hosting

SELMA operates on Amazon Web Services infrastructure within Australian data centres, providing:

Geographic Data Sovereignty - Your data remains within Australia, meeting local data residency requirements and providing legal clarity around data protection.

Professional Infrastructure Management - AWS delivers enterprise-grade physical security, environmental controls, power redundancy, and network infrastructure that would be prohibitively expensive for individual institutions to implement.

High Availability Architecture - Our deployment includes load balancing across multiple availability zones, ensuring service continuity even if individual components fail.

Automated Backups - Daily encrypted backups with point-in-time recovery capabilities protect against data loss from any source, whether technical failure, human error, or malicious activity.

Disaster Recovery - Comprehensive disaster recovery procedures ensure rapid service restoration with minimal data loss in worst-case scenarios. Recovery time objectives and recovery point objectives are defined and regularly tested.

Scalable Performance - Infrastructure scales automatically with demand, maintaining responsive performance during peak periods like enrolment windows or results publication.

Security-First Development

Secure by Design

Security isn't added to SELMA after development; it's embedded in our architectural decisions and development practices from the outset.

Secure Coding Standards - Our development team follows OWASP guidelines and industry best practices for secure application development, preventing common vulnerabilities before they reach production.

Input Validation and Sanitisation - All user inputs undergo rigorous validation and sanitisation to prevent injection attacks, cross-site scripting, and other exploitation attempts.

Encryption Everywhere - Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Sensitive fields receive additional encryption layers for defence in depth.

No Third-Party Tools in Critical Areas - Security-critical components such as student application forms, authentication systems, and data collection interfaces are built entirely in-house. We don't rely on third-party form builders or data collection tools that could introduce security vulnerabilities or data sovereignty concerns.

Regular Security Updates - Dependencies and frameworks receive regular updates to address newly discovered vulnerabilities. Our deployment pipeline enables rapid security patching when required.

Code Review and Testing - All code undergoes peer review with security considerations explicitly evaluated. Automated security scanning identifies potential vulnerabilities during development, not after deployment.

API Security - RESTful APIs implement authentication, authorisation, rate limiting, and input validation to prevent unauthorised access and abuse.

Single-Tenant Architecture

Complete Data Isolation

Unlike multi-tenant SaaS platforms where multiple customers share database infrastructure, SELMA deploys in a single-tenant architecture:

Dedicated Database Instances - Each institution receives its own database instance with complete logical and physical separation from other customers.

No Cross-Customer Access - Architectural impossibility of data leakage between institutions, even in the event of application vulnerabilities or misconfigurations.

Custom Security Policies - Institutions can implement specific security policies, access controls, and data retention rules without affecting other customers.

Independent Backup and Recovery - Each institution's data follows independent backup schedules and retention policies, with restoration operations isolated to prevent any cross-contamination.

Compliance Flexibility - Single-tenant architecture simplifies compliance with data protection regulations that require specific data handling or geographic restrictions.

Vetted Personnel and Device Management

Trusted Team, Secure Access

Comprehensive Staff Vetting - All SELMA team members undergo thorough background checks before accessing customer systems or data. This includes identity verification, employment history validation, and reference checks.

Controlled Company Devices - Staff access SELMA systems exclusively through company-managed devices with:

• Full disk encryption
• Mandatory security software
• Automated security updates
• Remote wipe capabilities
• Access logging and monitoring

Principle of Least Privilege - Staff receive only the minimum access necessary for their roles. Support staff cannot access customer data without explicit permission and audit trails.

Security Training - Regular security awareness training ensures all team members understand their responsibilities regarding data protection, phishing recognition, and incident reporting.

Access Review - Periodic reviews ensure access permissions remain appropriate as roles change, with immediate revocation upon staff departure.

Multi-Factor Authentication and SSO

Robust Authentication

Mandatory MFA - Multi-factor authentication is mandatory for all SELMA accounts, requiring both password and time-based one-time password (TOTP) verification.

Enterprise SSO Integration - Institutions can implement single sign-on using existing Google Workspace or Microsoft 365 credentials, centralising authentication control and enabling:

• Institutional password policies
• Conditional access rules
• Centralised user provisioning and de-provisioning
• Authentication audit trails in institutional systems

Password Security - When using SELMA-native authentication, passwords undergo secure hashing using industry-standard algorithms, with automatic enforcement of complexity requirements.

Session Management - Automatic session timeout after inactivity, secure session token handling, and immediate invalidation upon logout prevent unauthorised access to unattended devices.

Granular Role-Based Access Control

Precise Permission Management

SELMA's RBAC (Role-Based Access Control) module provides sophisticated permission management enabling institutions to implement precise access policies:

Granular Permissions - Hundreds of individual permissions control access to specific functions, data types, and operations throughout the system.

Custom Role Creation - Build custom roles combining precisely the permissions required for specific institutional functions, from executive oversight to departmental administration to front-line teaching staff.

User Role Assignment - Assign multiple roles to individual users, with permissions combining to provide exactly the access required without over-provisioning.

Data-Level Security - Permissions extend beyond function access to data visibility, ensuring users see only information appropriate to their role. Teachers access their students; administrators access their departments; executives access institution-wide analytics.

Sensitive Information Protection - SELMA includes built-in privacy features allowing users to blur sensitive information (such as student photos, dates of birth, addresses, and contact details) when sharing screens or presenting data. This prevents inadvertent disclosure of personal information during demonstrations, training sessions, or collaborative work.

Audit Trail Integration - All permission grants, modifications, and revocations appear in audit logs, providing complete visibility into access control changes.

Temporary Access Grants - Provide time-limited elevated permissions for specific tasks, with automatic revocation preventing permission creep.

Responsible AI Integration

Safety-First Approach to Artificial Intelligence

As AI capabilities evolve, SELMA takes a measured, security-conscious approach to integration:

Enclosed AI Environments - When AI features are implemented, they operate within isolated, controlled environments that prevent unauthorised data access or unintended information exposure.

Data Stewardship Principles - We never send student data to external AI services without explicit institutional consent and appropriate data protection agreements. Student information remains within our controlled infrastructure.

Opt-In AI Features - Institutions maintain complete control over AI feature activation. Features remain disabled by default, requiring deliberate enablement and configuration.

Transparency and Auditability - AI-assisted operations maintain full audit trails showing what data was processed, what recommendations were generated, and what actions were taken.

Human Oversight - AI features augment human decision-making rather than replacing it. Critical decisions regarding student progression, assessment, or welfare always require human review and approval.

Bias Monitoring - We actively monitor AI features for potential bias in recommendations or automated processes, ensuring fair treatment across all student demographics.

Our approach recognises that AI offers genuine benefits for administrative efficiency and insight generation, but these benefits must never come at the cost of student privacy, data security, or institutional control.

Compliance and Certifications

Meeting Global Standards

GDPR Compliance - SELMA complies with the General Data Protection Regulation, implementing:

• Data subject rights (access, rectification, erasure, portability)
• Lawful basis documentation
• Data processing agreements
• Privacy by design principles
• Data breach notification procedures
• Data protection impact assessments

ISO 27001 Certified Infrastructure - AWS data centres maintain ISO 27001 certification, demonstrating systematic approach to managing sensitive information.

Pursuing ISO 27001 Certification - SELMA is currently implementing the information security management system required for ISO 27001 certification, formalising our security practices according to international standards.

Australian Privacy Principles - Full compliance with APP requirements for handling personal information within Australia.

Education Sector Standards - Understanding of and compliance with education-specific data protection requirements across our operating regions.

Regular Penetration Testing

Independent Security Validation

Professional Penetration Testing - Independent security professionals conduct regular penetration tests simulating real-world attack scenarios to identify potential vulnerabilities before malicious actors can exploit them.

Comprehensive Test Scope - Testing covers:

• Application security (authentication, authorisation, input validation)
• Infrastructure security (network configuration, system hardening)
• API security (authentication, rate limiting, data exposure)
• Social engineering resistance
• Physical security where applicable

Remediation and Re-testing - Identified vulnerabilities receive priority remediation with follow-up testing to verify effective resolution.

Customer Access to Results - SELMA customers can request current penetration test results and remediation status, providing transparency into our security posture.

Continuous Improvement - Test findings inform development practices, infrastructure hardening, and security training to prevent similar issues in future development.

Additional Security Measures

Defence in Depth

Network Security - Firewalls, intrusion detection systems, and network segmentation protect infrastructure from unauthorised access and malicious traffic.

DDoS Protection - AWS Shield provides automatic protection against distributed denial-of-service attacks that could disrupt service availability.

Vulnerability Scanning - Automated vulnerability scanning identifies potential security issues in infrastructure and applications before they can be exploited.

Security Monitoring and Alerting - 24/7 monitoring detects unusual activity, potential security incidents, or system anomalies, with automatic alerting for rapid response.

Incident Response Plan - Documented procedures ensure rapid, coordinated response to security incidents, minimising impact and ensuring appropriate stakeholder communication.

Data Retention and Disposal - Clear policies govern data retention periods and secure disposal procedures, ensuring data doesn't persist beyond legitimate business or legal requirements.

API Rate Limiting - Protection against automated attacks and abuse through intelligent rate limiting that prevents system overload while allowing legitimate usage.

Secure File Uploads - Uploaded files undergo malware scanning, file type validation, and safe storage separate from application code to prevent malicious file execution.

Database Security - Database access requires authentication, connections are encrypted, and queries use parameterisation to prevent SQL injection attacks.

Change Management - All infrastructure and application changes follow controlled change management processes with security review, testing, and rollback capabilities.

Data Protection by Default

Privacy-Preserving Practices

Data Minimisation - SELMA collects only data necessary for legitimate educational management purposes, avoiding unnecessary data accumulation.

Purpose Limitation - Data collected for specific purposes isn't repurposed without appropriate legal basis and, where required, explicit consent.

Accuracy Maintenance - Tools and workflows help institutions maintain accurate, up-to-date records with mechanisms for students and staff to request corrections.

Storage Limitation - Automated retention policies help institutions comply with data protection requirements by flagging or removing data that has exceeded retention periods.

Transparent Processing - Clear documentation explains what data SELMA processes, why, under what legal basis, and how individuals can exercise their rights.

Your Security Partnership

Security and privacy aren't solely technical matters; they require partnership between SELMA and our client institutions.

Security Documentation - Comprehensive security documentation helps institutions understand SELMA's security posture for their own risk assessments and compliance obligations.

Security Questionnaire Response - We promptly respond to institutional security questionnaires, providing detailed information about our security practices and controls.

Data Processing Agreements - Formal data processing agreements clearly define responsibilities, obligations, and rights regarding customer data handling.

Incident Communication - Clear communication protocols ensure institutions receive timely notification of any security incidents affecting their data, enabling appropriate response and stakeholder communication.

Security Consultation - Our team provides guidance on implementing security best practices within SELMA, from permission structure design to authentication policy configuration.

Continuous Improvement

Security isn't a destination; it's an ongoing commitment. SELMA continuously enhances security and privacy protections through:

• Regular security audits and assessments
• Monitoring of emerging threats and vulnerabilities
• Implementation of new security technologies and practices
• Staff training and awareness programmes
• Customer feedback and security requirement evolution
• Regulatory change monitoring and compliance maintenance

Questions About Security?

We recognise that security and privacy concerns require detailed, specific answers. Our team welcomes inquiries about our security practices, compliance status, or specific institutional requirements.

Contact our security team for:

• Detailed security documentation
• Current penetration test results
• Security questionnaire responses
• Compliance certification status
• Custom security requirement discussions

Your trust enables us to serve your institution. We honour that trust through unwavering commitment to protecting the data you and your students entrust to us.

‍

‍

‍