UniRubric
← SecurityUniRubric — Compliance Attestations2026-05-15
For institutional security reviews

What we attest to today. What’s on the roadmap.

Honest scope: this page distinguishes what UniRubric has today (complete) from what is signed-up-for and underway (in progress), from what is committed but not yet started (planned), from what does not apply to this product (not applicable).

  • Australian Privacy Principles (APP)

    Complete

    Registered AU operator. Privacy Policy and Notifiable Data Breach scheme alignment documented. Cross-border disclosure section in Privacy Policy at /privacy.

  • GDPR — Article 28 DPA

    Complete

    Data Processing Addendum available on contract. EU tenant region (eu-central-1) available for institutions with sovereignty requirements.

  • GDPR — Article 35 DPIA

    In progress

    Data Protection Impact Assessment template authored. Institution-specific DPIA completed jointly with each EU pilot.

    Target: Per-pilot basis from first EU institutional pilot

  • FERPA (US institutions)

    In progress

    FERPA-aligned data handling documented. School Official designation language available in MSA. US tenant region (us-east-1) available on contract.

    Target: Reviewed jointly with each US pilot

  • SOC 2 Type II

    Planned

    Type I readiness assessment scheduled. Type II audit follows the first full reporting period.

    Target: Audit firm engagement begins after the first institutional pilot is in steady-state; Type II report follows a full reporting period thereafter

  • ISO/IEC 27001

    Planned

    Not currently required by Australian higher-ed RFPs. Will pursue if at least three institutional procurement processes request it.

    Target: Demand-driven

  • CSA STAR (Level 1 — self-assessment)

    Complete

    CAIQ-Lite v4 pre-fill maintained as the canonical CSA STAR Level 1 document for UniRubric. Reissued at least quarterly and on material configuration change.

  • CSA STAR (Level 2 — third-party attestation)

    Planned

    Follows SOC 2 Type II completion.

    Target: Follows SOC 2 Type II completion

  • PCI DSS

    Not applicable

    UniRubric never sees a card number. Payment is handled by Stripe and PayPal, both PCI DSS Level 1. We store only Stripe/PayPal customer references.

  • HIPAA

    Not applicable

    UniRubric is an education product, not a health product. No PHI handled.

UniRubric · info@unirubric.com