Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            FAQ - RollCall Data Security

            Modified on Tue, 18 Feb at 3:36 PM

            General Questions

            Q: Is RollCall ISO 27001 compliant?
            A: Yes, RollCall has been ISO 27001 compliant since September 2024. If required, we can provide the official certificate.


            Q: How does RollCall handle penetration testing and system security?
            A: We run monthly automated penetration tests and continuously monitor all AWS CloudTrail logs for unusual activity. Clients are notified within 14 days of any High or Critical findings. Furthermore, RollCall conducts regular security reviews, including penetration testing, security discussions, and assessments of best practices. Our threat detection systems are powered by AWS, ensuring proactive security measures.


            Q: Does RollCall have an assessment against the Essential Eight as outlined by the Australian Signals Directorate?
            A: Although we do not have a current Essential Eight assessment, RollCall is ISO 27001 compliant, which covers similar security principles and standards.


            Q: Does RollCall support Single Sign-On (SSO)?
            A: Yes, RollCall supports Single Sign-On (SSO) for Admin and Parent role users or a hybrid approach including manual user invites, depending on client preferences. System users are not able to self-enrol or gain access without authority from a system administrator.


            Q: Where is RollCall’s data hosted, and what is the data sovereignty status?
            A: All data is hosted securely within AWS Sydney, ensuring full compliance with Australian data sovereignty requirements. 


            Q: What is RollCall’s data backup strategy and data protection measures?
            A: We use continuous RDS snapshots for the first 30 days. Afterward, manual snapshots are taken regularly. RollCall also employs AES-256 encryption for data at rest and TLS for data in transit, ensuring robust data protection measures.


            Q: What is RollCall’s data security policy?
            A: RollCall maintains a comprehensive Data Security Policy, which governs the handling of school, student, parent, and other sensitive company data across all RollCall systems. The policy includes measures such as:

            • Unique user IDs for accountability
            • Logging of user access for security incident investigations
            • Hosting data securely in AWS data centers in Australia
            • Encryption using AES-256 for data at rest and TLS for data in transit
            • Regular security reviews and assessments, including penetration tests
            • Vetting of staff with working with children checks and reference checks
            • Data is retained for the duration of student enrollment plus seven years, with schools able to request data during the engagement period.

            The policy is regularly reviewed to meet evolving security requirements.


            Data Sharing Between Schools & RollCall

            Q: How should sensitive data be shared between RollCall and clients?

            • Best Practice Approach:
              The most secure method for managing sensitive data is to keep all data on the client's internal servers. Data should only be uploaded to RollCall once it has been properly formatted for our system.

              • Office 365: If you use Office 365, you can securely share documents via SharePoint. Create a folder called "RollCall Documents" and share it with the RollCall team. It is recommended to set a password for this folder, which should be sent via text.
              • Dropbox: Alternatively, you can use Dropbox to share documents securely. Instructions for setup are available through the provided link.

            • Alternative Approach:
              If the client is unable to provide a secure cloud service, RollCall will provide a secure SharePoint folder to manage document sharing. Clients will receive a URL for access, and passwords will be sent via text. Documents should be uploaded directly to the system once they are ready.

            • No Sharing Outside of These Methods:
              RollCall does not accept sensitive data shared via local drives or email. All sensitive data must be stored on secure servers to avoid unintended data leaks.


            Data Ownership and Access

            Q: Who has access to RollCall’s data?
            A: No external vendors other than AWS have access to the data in RollCall’s environment. All RollCall developers and staff are employees, and privileged access to data is granted only with written authorisation from the CEO.


            Q: What happens to client data at the completion of a contract?
            A: Data is owned by the client and can be deleted upon request at the completion of the contract. RollCall do not retain copies of deleted data.


            Still Have Questions?

            If your question isn’t answered here, please contact RollCall Support at support@rollcall.com.au for further assistance.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0