- Security Data
Security & Data Residency Compliance Charter
Last Updated: 17 March 2026
1. Purpose and Scope
This Security & Data Residency Compliance Charter outlines how we — go-liberty Pty Ltd (Australia, ACN 681 835 656), the holding company ultimately responsible for the platform, together with its operational entity Boarding School Software (Pty) Ltd (South Africa, Reg No. 2020/074598/07) — protect personal data, respect privacy, and align with global best-practice data protection standards. Boarding School Software (Pty) Ltd delivers the platform operationally and manages marketing and day-to-day service delivery.
Throughout this Charter, the terms “we”, “us”, and “our” refer collectively to go-liberty Pty Ltd and Boarding School Software (Pty) Ltd, as appropriate in context. The Boarding School Software (BSS) brand is the public-facing name of the platform.
This Charter is designed as a high-level assurance document for schools and prospective clients. It does not replace contractual terms. Further detail regarding legal responsibilities, data subject rights, and service terms is provided in our Privacy Policy and Terms & Conditions.
Our global commitments are set out in Sections 2–11 below. Because the European Union / United Kingdom and the United States of America impose specific, detailed obligations that warrant direct treatment, region-specific addendums for the EU/UK (Section 12) and the USA (Section 13) follow at the end of this Charter, mirroring the structure of our Privacy Policy.
2. Global Privacy Framework Alignment
This Charter is designed to align with major global data protection and privacy frameworks, including but not limited to:
- EU / UK — General Data Protection Regulation (GDPR) and UK GDPR
- USA — Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), California’s Student Online Personal Information Protection Act (SOPIPA), and equivalent state student privacy laws (including Vermont’s 9 V.S.A. § 2443)
- Australia — Privacy Act 1988 and the Australian Privacy Principles (APPs)
- New Zealand — Privacy Act 2020
- Canada — Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws
- South Africa — Protection of Personal Information Act (POPIA)
- Asia-Pacific — Personal Data Protection Act (PDPA) and comparable regional laws
We have drawn from the strongest elements of these frameworks to establish a unified, best-practice model as we operate across jurisdictions.
3. Data Residency & Regional Hosting
Schools select the geographic region in which their data is stored. Customer data is designed to remain within that chosen region and is not transferred across borders unless explicitly requested by the school or required for service delivery under appropriate safeguards.
Supported regions include Australia, New Zealand, European Union, United Kingdom, United States, Canada, Asia-Pacific, Africa, and the Middle East. Each region operates independently.
4. Cloud Infrastructure & Availability
All customer data is hosted within Amazon Web Services (AWS) regional data centres. Each deployment uses multiple availability zones to ensure resilience, fault tolerance, and load balancing. This architecture supports high availability and continuity of service.
5. Suppliers, Subprocessors and Development Partners
We engage a limited number of carefully selected subprocessors to deliver our services. These include:
- Cloud infrastructure providers (Amazon Web Services)
- Security and delivery services (Cloudflare)
- Development and support (go-liberty Pty Ltd, as internal provider to Boarding School Software (Pty) Ltd)
- Communication and analytics providers (Google, Intercom — the latter powering in-app support chat within the Platform)
All suppliers with potential access to personal data are required to operate under contractual terms, confidentiality obligations, and data-processing agreements aligned with GDPR or equivalent international standards. These obligations may include standard Terms of Service, Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs), non-disclosure agreements, and supplier security policies. Our development partner operates under formal services agreements, confidentiality provisions, and restricted access controls.
A detailed and up-to-date list of subprocessors, including locations and specific roles, is available upon request to our Data Protection Officer at dpo@go-liberty.com.
6. Information Security Controls
We implement layered security controls including:
- Encryption of data at rest and in transit
- Secure network design and segmentation
- Role-based access controls (RBAC)
- Multi-factor authentication (MFA) by default for all users
- Continuous infrastructure monitoring and threat detection
- Regular vulnerability assessments and penetration testing
- Secure software development lifecycle (SDLC) practices
- Ransomware-resilient backups and recovery processes designed to restore data in a timely manner following technical or physical incidents
7. Incident Readiness & Response
We maintain a formal Incident Management Procedure designed to detect, assess, contain, and remediate information security incidents.
Where a personal data breach is likely to result in risk to individual rights and freedoms, we will support school notification obligations and act within applicable regulatory timeframes, including:
- The 72-hour notification standard under GDPR (Article 33)
- Applicable United States federal and state breach notification laws (see Section 13.5)
- The Notifiable Data Breaches scheme under the Australian Privacy Act
- The breach reporting requirements under PIPEDA (Canada) and POPIA (South Africa)
8. Individual Rights & School Responsibility
Data protection laws grant individuals specific rights, including access, correction, erasure, portability, and withdrawal of consent. We contract directly with schools, not with parents, students, staff, or other individuals.
Schools act as the primary Data Controllers for student and staff information and are responsible for obtaining appropriate consents and managing individual requests. We provide the technical tools that enable schools to fulfil these obligations and support schools upon request.
9. Controller and Processor Roles
We act as a Data Controller where we determine the purpose and means of processing personal data, such as managing customer accounts, authentication, billing, and support communications. go-liberty Pty Ltd, as the holding company, carries ultimate responsibility for data protection decisions. Boarding School Software (Pty) Ltd manages operational processing.
We act as a Data Processor when schools use the platform to manage student, staff, and boarding-related data. In this role, we process personal data strictly in accordance with customer instructions and configured controls.
For United States institutions, we additionally operate as a “School Official with a legitimate educational interest” under FERPA when providing contracted services (see Section 13).
10. Data Deletion & Service Exit
Upon service termination, schools may request a structured export of their data. Active customer data is then securely deleted, and backup copies are managed to expire under controlled lifecycle policies. Institutions may request deletion of student covered information at any time during the service period, subject to applicable legal retention requirements.
11. Continuous Improvement
We regularly review security practices, infrastructure updates, regulatory developments, and boarding-sector requirements. Our security approach is aligned with internationally recognised standards but is not presented as a formal ISO certification.
Regional Addendums
The following sections describe how we meet the specific legal and regulatory requirements of the European Union / United Kingdom and the United States of America. These addendums supplement — and do not replace — the global commitments in Sections 2–11, and mirror the equivalent sections in our Privacy Policy.
12. European Union & United Kingdom — GDPR Addendum
For European Economic Area, United Kingdom, and Swiss institutions, we align our practices with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the UK Data Protection Act 2018.
12.1 Lawful Processing
We process personal data under lawful bases recognised by GDPR Article 6, including contract performance, legal obligation, legitimate interests, and consent.
12.2 Children’s Data
We apply GDPR Article 8 child-consent thresholds for users under 16 (or the relevant national threshold down to 13). Institutions are responsible for obtaining and documenting parental consent before uploading child data to the platform.
12.3 Cross-Border Transfers
We use EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum for cross-border transfers where required, or rely on adequacy decisions where applicable.
12.4 Breach Notification
We notify supervisory authorities within 72 hours of becoming aware of a qualifying personal data breach, in accordance with GDPR Article 33, and support affected institutions in notifying data subjects where required under Article 34.
12.5 Data Processing Agreements
We will sign GDPR-aligned Data Processing Agreements (including SCCs where applicable) with European and United Kingdom institutions on request.
12.6 Data Subject Rights
We enable data subjects in the EU/UK to exercise their full GDPR rights, including access, rectification, erasure, portability, restriction, and objection. Complaints may be lodged with the data subject’s national Data Protection Authority (for example, the UK Information Commissioner’s Office or the Irish Data Protection Commission).
13. United States — FERPA, COPPA & Student Privacy Addendum
For United States institutions, our platform is designed to meet the legal and ethical standards expected by schools, districts, and parents.
13.1 FERPA
We operate as a “School Official with a legitimate educational interest” under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g and 34 CFR Part 99. In this role, we perform institutional services that the institution would otherwise use its own employees to perform, and are bound by the same restrictions on the use and redisclosure of personally identifiable information (PII) from education records as the institution itself.
13.2 COPPA
For users under the age of 13, we comply with the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506. Where our platform is used by a PreK-12 institution, the institution may provide school-authorised consent for educational use in accordance with Federal Trade Commission guidance.
13.3 SOPIPA & State Student Privacy Laws (including Vermont)
Where we qualify as an ‘operator’ under United States state student privacy laws modelled on California’s Student Online Personal Information Protection Act (SOPIPA) — a representative example being Vermont’s Student Data Privacy Law, 9 V.S.A. § 2443 — we:
- Do not engage in targeted advertising to students.
- Do not build commercial profiles of students for non-educational purposes.
- Do not sell, rent, or barter student covered information.
- Delete covered student information on the request of the institution, subject to applicable legal retention requirements.
13.4 United States Data Residency
Personal data provided by United States institutions is stored in the United States AWS region by default.
13.5 Breach Notification under United States Law
We comply with applicable United States federal and state breach notification laws (including, by way of example, Vermont’s Security Breach Notice Act, 9 V.S.A. §§ 2430 and 2435), and will support affected institutions in notifying individuals, State Attorneys General, and other regulators as required.
13.6 Data Privacy Agreements
We will sign the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement or applicable state-specific variants — including the Vermont Student Data Privacy Agreement — with United States school districts and independent schools on request.
14. Contact & Review
Schools may request a technical or regional review covering data residency, access controls, authentication policies, incident response, and deletion processes. Demonstration environments may be provided upon request.
Holding Company (Ultimately Responsible)
go-liberty Pty Ltd (Australia)
ACN 681 835 656
10a Cavendish Street, Pimlico 4814
Queensland, Australia
P.O. Box 477, Aitkenvale BC 4814
Queensland, Australia
Operating & Marketing Entity
Boarding School Software (Pty) Ltd (South Africa)
Reg No. 2020/074598/07
No 9 5th Street, Linden, 2195
Postnet Suite 50, Private Bag X7, Parkview, 2122
South Africa
Correspondence
- General enquiries: policy@go-liberty.com
- Privacy & Policy matters: privacy@go-liberty.com
- Data Protection Officer (DPO): dpo@go-liberty.com
- Security & Compliance enquiries: privacy@go-liberty.com
End of Security & Data Residency Compliance Charter.
1. Purpose and Scope
This Security & Data Residency Compliance Charter outlines how Boarding School Software (BSS) protects personal data, respects privacy, and aligns with global best‑practice data protection standards. It is designed as a high‑level assurance document for schools and does not replace contractual terms. Further detail regarding data handling, legal responsibilities, and service terms is provided in our Privacy Policy and Terms & Conditions.
2. Global Privacy Framework Alignment
BSS aligns its data protection practices with leading international privacy and security frameworks, including but not limited to: GDPR (EU & UK), Australian Privacy Principles (APPs), New Zealand Privacy Act, CCPA and COPPA (USA), PIPEDA (Canada), PDPA (Asia‑Pacific), POPIA (South Africa), and comparable regional laws. We have drawn from the strongest elements of these frameworks to establish a unified, best‑practice model as we operate across jurisdictions.
3. Data Residency & Regional Hosting
Schools select the geographic region in which their data is stored. Customer data is designed to remain within that chosen region and is not transferred across borders unless explicitly requested by the school.
Supported regions include Australia, New Zealand, European Union, United Kingdom, United States, Canada, Asia‑Pacific, Africa, and the Middle East. Each region operates independently.
4. Cloud Infrastructure & Availability
All customer data is hosted within Amazon Web Services (AWS) regional data centres. Each deployment uses multiple availability zones to ensure resilience, fault tolerance, and load balancing. This architecture supports high availability and continuity of service.
5. Suppliers and Development Partners
BSS may engage third‑party suppliers such as cloud infrastructure providers, security services, and development partners where necessary to deliver and support the platform. All suppliers with potential access to personal data are required to operate under contractual terms, confidentiality obligations, and data‑processing agreements aligned with GDPR or equivalent international standards. These obligations may include standard Terms of Service, Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs), non‑disclosure agreements, and supplier security policies.
Our development partner operates under formal services agreements, confidentiality provisions, and restricted access controls.
6. Information Security Controls
BSS implements layered security controls including encryption of data at rest and in transit, secure network design, role‑based access controls, multi‑factor authentication, and continuous infrastructure monitoring. Backup and recovery processes ensure that data can be restored in a timely manner following technical or physical incidents.
7. Incident Readiness & Response
BSS maintains an Incident Management Procedure designed to detect, assess, contain, and remediate information security incidents. Where a personal data breach is likely to result in a high risk to individual rights and freedoms, BSS will support school notification obligations and act within applicable regulatory timeframes, including the 72‑hour standard under GDPR where relevant.
8. Individual Rights & School Responsibility
Data protection laws grant individuals specific rights, including access, correction, erasure, portability, and withdrawal of consent. BSS contracts directly with schools, not with parents, students, staff, or other individuals. Schools act as the primary data controllers for student and staff information and are responsible for obtaining appropriate consents and managing individual requests. BSS provides the technical tools that enable schools to fulfil these obligations.
9. Controller and Processor Roles
BSS acts as a data controller where it determines the purpose and means of processing personal data, such as managing customer accounts, authentication, billing, and support communications. BSS acts as a data processor when schools use the platform to manage student, staff, and boarding‑related data. In this role, BSS processes personal data strictly in accordance with customer instructions and configured controls.
10. Data Deletion & Service Exit
Upon service termination, schools may request a structured export of their data. Active customer data is then securely deleted, and backup copies are managed to expire under controlled lifecycle policies.
11. Continuous Improvement
BSS regularly reviews security practices, infrastructure updates, regulatory developments, and boarding‑sector requirements. Our security approach is aligned with internationally recognised standards but is not presented as a formal ISO certification.
12. Contact & Review
Schools may request a technical or regional review covering data residency, access controls, authentication policies, and deletion processes. Demonstration environments may be provided upon request.
