How we protect your school's data.

Teacher and staff data is retained for the duration of the account plus 12 months. Identifiable student data is retained for the duration of a student's enrolment, or as directed by the school. Anonymised analytics data is retained indefinitely for research and system improvement and cannot be linked back to any individual.

Dr Leanne Russell — [email protected]

Acrux Education is currently completing the ST4S (Safer Technologies for Schools) data sovereignty assessment, with submission planned for May 2026.

Contact [email protected]. We will verify your identity and authority, confirm the scope of the request, and respond within 30 days.

Yes. School platform administrators can request a full export of all student records, assessment results, and class data directly from the platform. Exports require authenticated access and are available for download for 48 hours before the file is permanently deleted.

Deletion cascades automatically — student records, assessment submissions, marking results, and uploaded PDF files are all permanently removed. Files are securely erased to DoD 5220.22-M standard (3-pass overwrite). A GDPR Article 17 compliance certificate is generated on completion.

Yes. School administrators can delete individual student records, classes, and assessments directly from the platform. A full school account deletion can also be requested, with a 30-day grace period before permanent deletion is processed.

No. Students do not create accounts or submit data directly. All student data is provided and managed by authorised school staff.

Our Data Protection Policy covers compliance with the Privacy Act 1988 (Australia), UK GDPR, and Singapore's Personal Data Protection Act 2012 (PDPA). The latest version of our Data Protection Policy is available at acrux.education/legal.

No. We do not sell, monetise, or use student data for advertising or profiling. Infrastructure providers such as Google Cloud Platform act as subprocessors under Data Processing Agreements and may only process data as directed by Acrux. A full list of subprocessors is available in our Trust Centre.

Schools are the data controller. Acrux Education acts as a data processor, handling data only on the school's behalf and in accordance with their instructions.

Yes. We conduct regular vulnerability assessments and independent penetration testing as part of our ongoing security programme.

All data is encrypted at rest and in transit using industry-standard protocols. Uploaded assessment files are stored in Google Cloud Storage with encryption applied at the file level.

Acrux Education runs on Google Cloud Platform (GCP). Data is stored in regional instances and may be hosted in Australia, the UK, Europe, Canada or Singapore depending on your school's location.

No personal information on students is kept by our program.