Contents
Security & Compliance
Introduction
CET Cor is built on a foundation of industry-standard security controls, with all systems and data hosted within Australia to meet local regulatory and privacy requirements. This document describes how we protect your data, ensure continuous availability, and maintain compliance with the Australian Privacy Act and Catholic Education Tasmania ICT policies.
Infrastructure and Network Security
Our application is deployed on Vercel’s Pro/Enterprise platform in the AWS Sydney region, delivering low-latency access via a global edge network. Every request—both web and API—is encrypted in transit using TLS 1.3. Administrative access to Vercel’s control plane is restricted through single-sign-on (SSO) and multi-factor authentication, and only designated engineers have permissions to change infrastructure settings.
Build logs, runtime logs, and edge-function output are forwarded in real time to our observability platform via Vercel Log Drains, ensuring we never lose visibility into system behaviour.
Authentication and Access Control
We rely on Clerk to handle user identity, single-sign-on (SAML/OIDC), social login (Google, Microsoft), and built-in multi-factor authentication (TOTP, SMS). Clerk issues and rotates JSON Web Tokens automatically, and supports server-side session revocation to protect against credential compromise.
Within PayloadCMS, we enforce role-based access control and field-level permissions to ensure that only authorised users (Administrator, Editor, Teacher, Guest) can view or modify content. All CMS APIs and the admin UI are protected by Clerk’s authentication middleware.
Data Security and Privacy
All data at rest is encrypted using AES-256: MongoDB Atlas encrypts database volumes and automated backups, and our object-storage provider secures user uploads with their managed key-management service. In transit, every service-to-service call and client interaction is protected by TLS 1.3.
We practice “privacy by design” by collecting only the minimum personal data needed, capturing explicit user consent where required, and aligning all data-handling procedures with the Australian Privacy Act’s APP 1–13 breach-notification and handling guidelines.
Observability, Alerting & Intrusion Detection
We centralise logs, metrics, and traces in Datadog. All Vercel logs and structured JSON audit events flow into Datadog Logs, where we maintain searchable indices and business-metric dashboards tracking request volume, error rates, and performance percentiles. Datadog APM (instrumented via OpenTelemetry in our Next.js serverless functions) provides end-to-end tracing and resource-utilisation insights.
To detect threats at the perimeter, we leverage Vercel’s edge firewall—which includes DDoS mitigation and built-in WAF rules—to block volumetric attacks and application-layer exploits in real time. Within Datadog Security Monitoring, automated detection rules mapped to the MITRE ATT&CK™ framework analyse ingested logs for signs of intrusion—brute-force attempts, port scans, anomalous network flows—and generate alerts for on-call response.
All monitors (spiking error rates, SLO breaches or security alerts) trigger incidents in PagerDuty, which handles escalation via SMS, call, and push notifications.
Error Tracking
Sentry is integrated across both front-end and back-end code paths to capture uncaught exceptions, correlate errors with specific releases, and provide rich context—stack traces, user actions, and environment data. This real-time error insight accelerates debugging and helps us maintain a high level of service reliability.
Audit Trails
Every critical action—user login, data export, and configuration change—emits a structured JSON audit record from within our application. These audit logs are tagged, indexed, and stored in Datadog Logs with write-once, read-many (WORM) retention enabled.
This ensures an immutable history that can be exported via API for offline archival and compliance reporting whenever required.
Backup and Disaster Recovery
MongoDB Atlas takes encrypted snapshots every 24 hours, retaining them for 90 days and enabling point-in-time restore for the past 24 hours. We conduct quarterly disaster-recovery drills against a secondary AWS region to verify our fail-over processes, with a Recovery Time Objective (RTO) under 4 hours and a Recovery Point Objective (RPO) under 1 hour.
Vulnerability Management
Dependency vulnerabilities are detected and remediated via Dependabot, which raises pull requests for required security patches. Our application and infrastructure undergo quarterly automated scans against the OWASP Top 10 and SANS Top 25, and we engage an ACSC-certified third party for a full penetration test annually.
High-severity findings are triaged and resolved within 24 hours of discovery.
Incident Response and Support
We maintain a documented incident-response playbook that defines roles, communication channels, and breach-notification SLAs (under 72 hours). PagerDuty drives our 24×7 on-call support, ensuring that any critical incident is escalated immediately.
After each Severity 1 or 2 event, we perform a root-cause analysis and track corrective actions to closure.
Continuous Improvement
Security controls and compliance posture are reviewed quarterly by our internal security team, incorporating pen-test results, scan findings, and newly identified risks. An annual internal audit verifies adherence to the Australian Privacy Act and CET ICT policies, with any gaps addressed through updates to processes, configurations, or training.
Conclusion
CET Cor’s security and compliance measures are designed to give Catholic Education Tasmania full confidence that data remains secure, private, and available, while minimising operational overhead for your team.