Compliance & Security
Information for school IT, privacy, and procurement teams evaluating ProofReady for a pilot.
Last updated: 22 April 2026
1. Service overview
ProofReady is a web-based formative-feedback tool that generates AI feedback on student assessment drafts. It is aligned to the NSW HSC syllabus and produces:
- Holistic written feedback (strengths, improvements, key-term check, priority action).
- Criterion-by-criterion feedback against the teacher's marking criteria.
- Inline margin annotations on the student's own draft.
ProofReady does not award marks, replace teacher judgement, act as a reporting mechanism for welfare concerns, or replace any school assessment policy.
2. What we collect
| Category | Examples | Who provides it |
|---|
| Account data | Display name, email, role (student/teacher), hashed password | User at sign-up |
| Task data | Task title, question, criteria, teacher notes, 6-character task code | Teacher |
| Submission content | Draft text and associated metadata (draft version, timestamp) | Student |
| Generated feedback | AI-produced feedback, criterion commentary, inline annotations | Generated by ProofReady |
| Technical data | IP address, request timestamps, browser user-agent, error logs | Captured by our platform for security & debugging |
We do not intentionally collect sensitive personal information (health, religion, political opinions, etc.). Users are asked in the Terms & Conditions not to include such information in drafts beyond what the academic task strictly requires.
3. Sub-processors & data residency
ProofReady relies on three providers. Each handles only the data it needs for its role and is bound by its own published terms.
| Provider | Role | Data handled | Region |
|---|
| Anthropic (Claude) |
AI model that generates feedback |
Task question + criteria + the submitted draft. No account data. |
United States |
| Supabase |
Authentication & managed PostgreSQL database |
All account, task, submission, and feedback data at rest |
Supabase region — Australia (Sydney) where available |
| Vercel |
Application hosting & content delivery |
HTTP traffic (transient), request/access logs |
Global edge network; application functions run in the closest region to the user |
We also load Google Fonts from Google's CDN for typography. No user data is transmitted to Google beyond what is inherent in loading a public stylesheet (IP, user-agent).
We will notify schools in writing if we change or add a sub-processor.
4. Security practices
- Encryption in transit — all traffic served over HTTPS/TLS 1.2 or higher.
- Encryption at rest — database storage is encrypted by our managed provider (Supabase on AWS).
- Row-level security — database policies enforce that a student can see only their own submissions and a teacher can see only submissions to tasks they own, regardless of the credential presented by the client.
- Password storage — passwords are never stored in plain text; hashing is handled by Supabase Auth.
- Principle of least privilege — admin access is limited to named operators.
- Rate limiting & abuse protection — per-user and global daily limits are enforced on the feedback endpoint to prevent automated abuse and runaway cost.
- Dependency hygiene — security updates are applied regularly to third-party libraries.
5. Authentication
- Method: email + password authentication via Supabase Auth.
- Password reset: self-service via an emailed magic link.
- SSO: not currently supported; available on request for larger pilots (Google Workspace for Education, Microsoft 365).
- MFA: not currently enabled for end users; available on request.
- Sessions: short-lived JWT access tokens with refresh tokens, managed by Supabase.
6. Minors & school authorisation
ProofReady is used by secondary school students, many of whom are under 18. When a school pilots ProofReady:
- The school is the authorising body for student use. The school is responsible for obtaining any parental or guardian consent required under its own policies.
- Students should only use ProofReady under the direction of a teacher who has created the relevant task.
- Teachers' existing obligations under NSW Child Protection procedures and the Children and Young Persons (Care and Protection) Act 1998 (NSW) are not altered by use of the platform. ProofReady is not a reporting mechanism.
- The Terms & Conditions instruct students not to include disclosures of harm, abuse, or safety concerns in their drafts, and to use the supports listed (Kids Helpline, Lifeline, 000) or a trusted adult at school for those matters.
7. AI usage & training
- AI feedback is generated by Anthropic's Claude models via the Anthropic API.
- Per Anthropic's published API policy, API inputs and outputs are not used to train Anthropic's models. See anthropic.com/privacy.
- Anthropic may retain API inputs and outputs for a limited period for abuse detection and legal compliance only.
- ProofReady does not train or fine-tune any model on user submissions.
- ProofReady does not use submissions for any purpose other than generating the feedback the user requested and storing it so the user and their teacher can review it.
8. Breach notification
In the event of a data breach that is likely to result in serious harm to affected individuals, we will:
- Notify affected users within 72 hours of confirming the breach.
- For pilot schools, notify the nominated school contact within the same timeframe.
- Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.
- Provide a written description of the breach, the data involved, and the steps users and the school should take.
9. Data retention & deletion
- Account and submission data is retained while a user's account is active.
- On account deletion (by the user, by the school, or at end of pilot), personal data is deleted or de-identified within 30 days.
- Short-term operational logs (error logs, access logs) are retained for up to 90 days.
- Deletion requests can be made at any time by emailing help@proofready.app.
- A school administrator ending a pilot can request bulk deletion of all accounts and submissions associated with the school.
10. Data Processing Agreement
For pilots that require a signed Data Processing Agreement (DPA), we can provide one on request. In most cases a simple exchange of letters is sufficient for a pilot; for larger or longer deployments a full DPA is available.
The DPA covers:
- Roles (ProofReady as processor; the school/teacher as controller of student data).
- Purpose of processing (generating formative feedback on drafts).
- Categories of personal data and data subjects.
- Obligations regarding confidentiality, security, sub-processing, and breach notification.
- Return or deletion of data at the end of the engagement.
This is a pilot. ProofReady is currently offered free of charge. The service is provided on a best-effort basis without a formal SLA. We aim to respond to support requests within one business day and to security incidents within 24 hours.
For compliance, security, procurement, or privacy enquiries: