UniRubric

The straight answers
CISOs,
procurement, and academic-integrity offices
are looking for.

No marketing softening. The standards we meet today, the ones we are pursuing on a published timeline, and the ones we have chosen not to pursue — and why.

Data posture

Where the data lives, how long, who sees it, and what happens when you delete it.

  • Where your data lives

    All customer data, all student submissions, all rubrics, all grading runs — region-pinned to Supabase Pro in Sydney (AWS ap-southeast-2). No cross-region replication. No data leaves Australia under standard operating conditions.

  • Who can see it

    Only authenticated users from your institution, scoped through Row-Level Security at the database layer. UniRubric staff have access only via support tickets your institution opens, logged in our audit trail, and only to data you direct us to.

  • How long we keep it

    Active assignments: indefinitely while your subscription is current. Deleted assignments: hard-deleted from production within 24 hours, removed from backups within 35 days. Grading-run audit logs retained for seven years for academic-integrity defensibility.

  • What we encrypt

    TLS 1.3 in transit on all surfaces. AES-256 at rest on the database. Per-tenant column encryption for sensitive student-identifier fields. Backups encrypted with separately-managed keys.

  • Backups

    Point-in-time recovery up to 7 days, daily snapshots up to 35 days. Restored backups land in the same Sydney region, never cross-region.

  • Subprocessors

    AWS Sydney (infrastructure), Vercel (hosting, Sydney region), Supabase (database & auth, Sydney), Anthropic (model inference, no-training contract), Stripe & PayPal (payments, AU), Resend (transactional email), Cloudflare (edge security), Upstash (rate-limit & queue, Sydney), PostHog (product analytics, EU instance), Sentry (error monitoring, EU instance), Google Workspace (internal email). Full list with locations, certifications, and contractual binding in our Subprocessor Disclosure.

AI disclosure

How the model is used, what it cannot do, and what is logged every time it is asked.

  • We do not train on your data

    Customer submissions, rubrics, grades, edits, and feedback are never used to train, fine-tune, or improve any model — ours or any vendor's. This is contractually enforced with our model provider (Anthropic) under a no-training data-processing agreement.

  • Which models we use

    Anthropic Claude family, accessed via the Anthropic API. Three-step grading pipeline: a fast model for ingestion and extraction, a mid-tier model for rubric-anchored scoring, and a top-tier model for final judgement. Model versions are pinned per release; see our changelog.

  • Lecturer review is required

    Every grade UniRubric produces is a draft, not a decision. No grade is released to a student until a lecturer reviews, edits, and approves. This is enforced in the database, not just in the UI — auto-release is not an option we offer.

  • Every grade is anchored

    Every score links to a verbatim phrase from your rubric and a verbatim phrase from the student's submission. If we cannot quote the evidence, we do not score the criterion. This is what makes the grade defensible at appeal.

  • Audit trail by default

    Every grading run, every edit, every approval, every release is logged immutably. The audit log includes the rubric phrase, the evidence phrase, the model version, the lecturer who approved, and the timestamp. Available to your institution on request.

  • We disclose when AI was used

    Feedback released to students through UniRubric carries a clear disclosure that AI was used to draft the assessment and that a lecturer reviewed and approved it. Your institution can customise the disclosure wording.

Access & authentication

  • Authentication

    Email + password with Argon2id hashing, Google OAuth, and Microsoft Entra (institutional SSO, available on request). LTI 1.3 launch-anchored sessions for in-LMS access.

  • LMS integration

    LTI 1.3 Resource Link Launch (Phase 1, live in production). Assignment & Grade Services (AGS) integration in active rollout. Supports Canvas, Moodle, Blackboard.

  • Authorisation

    Role-based access — student, lecturer, faculty admin, institutional admin — enforced at the database layer via Postgres Row-Level Security. A lecturer in one subject cannot see grades in another.

  • Session security

    Short-lived access tokens, rotating refresh tokens, IP-pinned admin sessions. Suspicious-activity detection with automatic re-authentication.

Compliance posture

Honest about what is in place, what is on the timeline, and what we have chosen not to pursue.

  • AU Privacy Act 1988

    Aligned today

    The 13 Australian Privacy Principles applied across the platform. Notifiable Data Breaches scheme honoured. Privacy Impact Assessment available on request.

  • GDPR

    Aligned today

    Lawful basis declared per data category. Data subject access requests handled within 30 days. EU-resident PostHog instance for product analytics.

  • FERPA

    Aligned today

    For US institutional deployments. Directory-information opt-out language available. Audit trail satisfies the regulatory record-keeping requirement.

  • TEQSA alignment

    Aligned today

    Higher Education Standards Framework 2021 — Section 5 (institutional quality assurance) and Section 6 (governance & accountability) considered in product design.

  • SOC 2 Type I

    Roadmap — Q4 2026

    Pre-audit work in progress with a Big 4 firm. Targeted attestation Q4 2026, ahead of our first enterprise renewal cycle.

  • IRAP assessment

    Roadmap — 2027

    Pursued when first government-sector or Defence-adjacent customer engagement requires it. Not in scope for the current pilot cohort.

  • ISO 27001

    Not pursuing

    We have chosen SOC 2 over ISO 27001 for the first attestation cycle. SOC 2 is the standard procurement actually asks us about, in our market. We may revisit this if a major institutional buyer asks for ISO 27001 specifically.

Responsible disclosure

Found something?
Tell us, not Twitter.

Security researchers who report a vulnerability through responsible disclosure get acknowledgement, a written response within 72 hours, and a clear remediation timeline. We do not yet run a paid bug bounty — we are too early — but we credit researchers in our security log unless they prefer to remain anonymous.

Lodge your report via the security contact form with reproduction steps. Encrypted submissions accepted; PGP key on request.

Security bundle

Access the security & AI brief.

Four fields. Then the architecture diagrams, isolation model, encryption posture, and the rest of what your security review needs.

We will not call you unless you reply asking for a call.