Trust Centre

Compliance

Standards and frameworks our day-to-day protocols satisfy, and the certifications we’re working toward.

Current status

Per-framework posture, updated when state changes (see the footer date). Standards we already meet are listed first.

COPPA

COPPA (U.S. Children's Online Privacy Protection Act)

Aligned to

Children don't have independent accounts in our system. Verifiable parental consent is satisfied by the account-creation flow. Full detail on the Child Safety page.

GDPR

GDPR Article 8 (children's data in the EU)

Aligned to

Default 16-year threshold honoured across EU member states. Parental consent captured at account creation. Data-subject rights honoured in-product.

OAIC

Australian Privacy Principles (APPs)

Aligned to

Notifiable Data Breaches scheme obligations honoured per our security incident response. Privacy notice and family privacy notice published and dated.

FERPA

FERPA (U.S. Family Educational Rights and Privacy Act)

Aligned to

School-tier contracts include FERPA-aligned terms covering directory information, parent access rights, and student record retention.

PCI-DSS Compliant via Stripe

PCI-DSS (payment-card data)

Inherited

Card data never enters Crescender systems. Payment processing is handled by Stripe under their independently audited PCI-DSS Level 1 certification; we hold only opaque Stripe customer identifiers. The inherited certifiability covers the full card-data flow.

ISO 27001, Information Security Management

Awaiting certification

Scoping complete; risk register populated; Statement of Applicability drafted; internal audit cycle running. Target external audit: H1 2027.

ISO 9001, Quality Management

Awaiting certification

Quality policy and process maps drafted for engineering, support, and customer onboarding. Target external audit: H2 2027 (after 27001).

ISO 14001, Environmental Management

Awaiting certification

Aspect register in early draft. Material aspects identified (cloud-infrastructure carbon, hardware supply chain, business travel). Target external audit: 2028.

ISO 27701, Privacy Information Management

Awaiting certification

Roadmapped after ISO 27001 certification. Privacy-management practices currently align to APPs + GDPR-K; 27701 formalises the management system.

How our protocols meet these obligations

Compliance is the outcome of the day-to-day controls our engineering and operations teams run. The mapping below shows which protocols satisfy which obligations:

  • Encryption in transit and at rest satisfies the ISO 27001 cryptography control set and the APPs / GDPR / FERPA requirement for protecting personal information from unauthorised disclosure. Detailed in our Security controls.
  • Row-level data isolation enforces the APP 11 / GDPR Article 32 obligation to prevent cross- tenant access and underpins the FERPA requirement for per-student record access boundaries.
  • Verifiable parental consent at account creation is what discharges COPPA 312.5 and GDPR Article 8. Children never hold an independent account, which is what removes the practical exposure these frameworks exist to prevent.
  • 30-day sub-processor change notice with opt-out for school-tier DPAs is what discharges APP 8 / GDPR Article 28 for material changes to processing arrangements. See the Sub-processors page.
  • Notifiable Data Breaches process meets the OAIC’s 30-day assessment + notification obligation under the Privacy Act and Article 33 / 34 of GDPR. Internal SEV-1 acknowledgement targets are published on the Security page.
  • In-product data export and account deletion satisfy the GDPR right of access (Article 15), right of erasure (Article 17), and APP 12 / 13 access + correction rights without any manual ticket flow.

ISO 27001, what’s in scope

The scope of our ISO 27001 ISMS (Information Security Management System) covers the design, development, operation, and support of all Crescender products: the Crescender web platform, the iOS + Android native apps as they ship, Clavet, My Crescender Family, and Creduca.

Within that scope: every system that processes user data, every workstation engineers use to author code, and every category of third-party service we route data through. The list of sub-processors is published on the Sub-processors page; specific vendor identities for security-sensitive layers are disclosed to school and enterprise customers under a Data Processing Addendum.

What schools and enterprises can ask for today

Ahead of formal certification, we can supply:

  • Current ISO 27001 readiness status with the in-progress Statement of Applicability summary.
  • Completed CAIQ (Consensus Assessments Initiative Questionnaire); we maintain a current copy.
  • Our Data Processing Addendum template (see the Sub-processors page for the sub-processor categories reproduced from the DPA; specific vendor identities are disclosed in the signed DPA itself).
  • Annual penetration-test summary; most recent report available under NDA.

Email hello@crescender.com.au with your organisation, use case, and the documents you need.

← Trust CentreSecurity controls →Sub-processors →

Reading the state labels

  • Aligned to: our protocols satisfy the standard’s requirements without a formal external audit. Self-attested; evidence available on request.
  • Awaiting certification: roadmap commitment, internal work underway, external auditor engaged or scheduled. Target audit window published per framework.
  • Inherited: the obligation is satisfied because the regulated data class is handled exclusively by a certified sub-processor and never enters our own systems.
  • We don’t use a Certified badge on any framework where we haven’t completed an independent external audit.

Last updated: 27 May 2026

Compliance | ISO, COPPA, GDPR, APP roadmap | Crescender