Every decision we've made about how Orca is built and hosted has been made with school data security in mind. From the technologies we've chosen to the infrastructure we run on, your school's data is protected by enterprise-grade, independently certified security at every level.
Orca is built on a layered security model. Rather than building security from scratch, we've chosen best-in-class providers at every level — each holding internationally recognised, independently audited security certifications — and added our own application-level controls on top.
Our server infrastructure is provided by a cloud hosting provider that holds SOC 2 Type II certification, independently audited against internationally recognised security standards for data security, availability and confidentiality. The underlying data centre facilities are certified to ISO 27001 — the international standard for information security management.
Orca runs on a managed hosting platform that holds SOC 2 Type II, ISO 27001 and PCI DSS certifications. "Managed" means server-level security — firewalls, patching, access controls and monitoring — is handled by a certified operator, not left to chance.
Orca is built using proven, industry-standard technologies with strong security track records. Security is treated as a first-class concern throughout development — not an afterthought. Our application enforces strict access controls, encrypted communications and privacy-by-design principles at every layer.
All Orca data is stored and processed in Australia. We do not transfer student or school data offshore. Your data stays where your school is.
Beyond the infrastructure, Orca itself is built with security and privacy at its core.
We strongly recommend — and fully support — Single Sign-On for all school users. SSO means your staff and students authenticate through your school's existing identity provider, removing the need to manage separate Orca passwords and reducing the risk of credential-based breaches.
Orca enforces role-based access within the application. Users only see the data and features relevant to their role. Administrators, coordinators, teachers and students each have clearly defined and limited access — following the principle of least privilege.
All data transmitted between your browser and Orca is encrypted using TLS (Transport Layer Security). Data at rest is protected at the infrastructure level by our certified hosting provider.
Regular automated backups are taken and managed by our hosting platform, supporting recovery in the event of data loss or a system incident.
Privacy is built into Orca from the ground up, not bolted on. The system is designed to collect only the data needed to run the service, enforce access boundaries at the application level, and support schools in meeting their obligations under the Australian Privacy Act 1988 — including the ability to action data access, correction and deletion requests.
User and activity data is stored in a robust, enterprise-grade relational database on a hardened server environment, managed and patched by our certified hosting provider.
When your school uses Orca, you are the data controller. Orca acts as a data processor — we handle your data only to deliver the service, and only in accordance with the terms you've agreed to.
We will never sell, share or monetise your school's data or your students' data. We collect only what is needed to run the service.
You have the right to request a copy of your data, ask us to correct or delete data, and receive a plain-language answer to any question about how your information is used.
We're happy to answer any questions about how Orca handles your school's data. If you're a school IT manager or privacy officer conducting due diligence, we can provide further documentation — including details of our hosting providers and their certifications — on request.
Orca is operated in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Certification references on this page relate to Orca's infrastructure and hosting providers. Full sub-processor details are available to schools on request.
See how Orca transforms activity management at your school. Book a personalised demo and we'll walk you through exactly how Orca fits your workflows.