A deeper look at the technology stack underpinning Orca and the security credentials of each layer. We believe schools deserve to understand what they're relying on — not just a badge and a tagline.
Orca runs on a managed cloud hosting platform. "Managed" means server-level security operations are handled on our behalf by a certified operator — including firewalls, intrusion detection, automated security patching and server hardening — so that Orca benefits from enterprise-grade infrastructure management.
Our managed hosting provider holds the following independently verified certifications:
The infrastructure Orca runs on has been independently audited against internationally recognised security standards. Server-level controls — including patching, access management, firewall rules and monitoring — are maintained by a certified operator, not managed ad hoc.
Our managed hosting provider deploys Orca on an enterprise cloud infrastructure platform. Our environment runs in an Australian data centre, meaning all data is physically located in Australia.
The cloud infrastructure platform holds the following certifications and attestations:
The physical and network infrastructure hosting Orca data has been assessed against globally recognised cloud security standards. Data centre facilities — including physical security, environmental controls and network infrastructure — are certified to ISO 27001.
Orca is a proprietary SaaS product built using proven, industry-standard technologies. Security is a first-class concern throughout our development process — not an afterthought.
Security and privacy requirements are considered at every stage of development. The application is designed to collect only the data necessary to deliver the service, enforce strict access boundaries, and support schools in meeting their obligations under the Australian Privacy Act 1988.
Orca includes built-in tools to support privacy compliance, including the ability to action data access, correction and deletion requests, manage user consent, and enforce data retention policies. These controls are part of the core product, not optional add-ons.
Orca does not collect, use or monetise student data for any commercial purpose. Student data is used solely to deliver the activity planning service and is never shared with third parties for advertising, profiling or any other commercial purpose.
The server environment running Orca is built on proven, industry-standard technology with strong, long-standing security credentials.
We run a current Long-Term Support (LTS) server operating system that receives regular security patches and is the industry standard for production server environments.
We use one of the world's most widely deployed web servers, with decades of active security development and community oversight.
User and activity data is stored in a robust, enterprise-grade relational database with a strong security heritage, supporting encrypted connections and fine-grained access control.
All components are kept up to date with security patches as part of our managed hosting arrangement.
We strongly recommend schools connect Orca via SSO through their existing identity provider (Microsoft Entra ID / Azure AD, Google Workspace, or similar). SSO means no separate passwords, authentication governed by your school's own security policies and MFA settings, and automatic account management as people join or leave.
Our platform supports MFA natively. When SSO is used, MFA is inherited from the school's identity provider. For installations not using SSO, MFA can be enabled at the platform level.
Orca enforces role-based access within the application. Each user role — Administrator, Coordinator, Teacher, Student — is granted only the permissions necessary for their function. Access to student data is restricted to users with a legitimate need.
Automated Backups — Orca environments are backed up automatically on a regular schedule by our managed hosting provider. Backups include the database and application files, and are retained to support recovery from data loss, accidental deletion or system incidents.
Recovery — In the event of a data loss incident, backups can be used to restore the Orca environment. Schools can contact us to initiate a restore or to request confirmation of backup status and scheduling.
All Orca data — including school profiles, user accounts, activity records and any uploaded content — is stored and processed within Australia. We do not transfer data outside Australia.
We do not use content delivery networks or analytics platforms that route Australian school data through overseas servers.
Schools conducting security due diligence are welcome to contact us. We can provide:
See how Orca transforms activity management at your school. Book a personalised demo and we'll walk you through exactly how Orca fits your workflows.