Trust & security

Trust file TRS-01 · Rev 2026-07-07

Built to pass a procurement review.

The honest state of Cohort’s security and data handling — what’s in place today, and what’s on the roadmap. If your review needs something not listed here, ask.

01

Encryption

All traffic served over HTTPS/TLS. Passwords stored only as salted bcrypt hashes — never in plain text.

02

Access control

Role-based access (learner / admin / owner). Sessions use HTTP-only, secure cookies with a strict same-site policy.

03

Tenant isolation

Each customer’s people and content are scoped to their organisation. One customer’s administrators cannot read or change another’s data.

04

Hardening

Security headers (CSP, X-Frame-Options, nosniff, HSTS in production), rate limiting on authentication, and input sanitisation on authored content.

05

Hosting

Runs on Railway infrastructure. Australian data residency available on request. We keep a current sub-processor list.

06

Breach response

We follow the Australian Notifiable Data Breaches scheme and notify affected customers promptly.

On the roadmap (not yet complete)

We believe in being straight about what isn’t done. Currently in progress: automated off-site database backups, a strict content-security-policy with per-request nonces, a formal SOC 2 programme, and a published uptime status page. We’re happy to talk through timelines during a demo.

Documents

Security questions?

Send your security questionnaire or DPA to hello@arshialearning.com.au and I’ll turn it around personally.