Trust & security
Trust file TRS-01 · Rev 2026-07-07
Built to pass a procurement review.
The honest state of Cohort’s security and data handling — what’s in place today, and what’s on the roadmap. If your review needs something not listed here, ask.
Encryption
All traffic served over HTTPS/TLS. Passwords stored only as salted bcrypt hashes — never in plain text.
Access control
Role-based access (learner / admin / owner). Sessions use HTTP-only, secure cookies with a strict same-site policy.
Tenant isolation
Each customer’s people and content are scoped to their organisation. One customer’s administrators cannot read or change another’s data.
Hardening
Security headers (CSP, X-Frame-Options, nosniff, HSTS in production), rate limiting on authentication, and input sanitisation on authored content.
Hosting
Runs on Railway infrastructure. Australian data residency available on request. We keep a current sub-processor list.
Breach response
We follow the Australian Notifiable Data Breaches scheme and notify affected customers promptly.
On the roadmap (not yet complete)
We believe in being straight about what isn’t done. Currently in progress: automated off-site database backups, a strict content-security-policy with per-request nonces, a formal SOC 2 programme, and a published uptime status page. We’re happy to talk through timelines during a demo.
Documents
- PRV-01Privacy Policy — how we handle personal information (Australian Privacy Act).
- TOS-01Terms of Service — the subscription terms.
- DPA-01Data Processing Addendum — processor commitments; signable version on request.
- ACC-01Accessibility statement — our WCAG 2.2 AA conformance target and known gaps.
Security questions?
Send your security questionnaire or DPA to hello@arshialearning.com.au and I’ll turn it around personally.