Compliance

Junipa is designed and operated to meet the security and privacy requirements of Australian schools.

Regulatory Framework

Regulation	Status
Privacy Act 1988 (Cth)	Compliant. Privacy policy published, APPs followed.
Australian Privacy Principles (APPs)	Compliant. PIA conducted.
Notifiable Data Breaches (NDB) scheme	Compliant. Incident Response and Data Breach Response Plans in place.
Disability Discrimination Act 1992	Platform supports NCCD compliance obligations.
ST4S (Safer Technologies 4 Schools)	Assessment in progress.

Junipa has undergone security assessment as part of the BusySchools contract engagement, including:

UpGuard security scan (December 2025) -- CSP headers, DMARC, and security headers implemented
Content Security Policy -- Restricts external resource loading across all Junipa domains
HMAC authentication -- API-to-API calls authenticated with HMAC-SHA256 signatures
Rate limiting -- API endpoints protected against abuse
Audit logging -- All API requests logged to Firestore

Dependency scanning: npm audit and GitHub Dependabot monitor for vulnerable packages
Remediation SLAs: Critical within 24 hours, High within 7 days, Medium within 30 days
Responsible disclosure: Report vulnerabilities to privacy@vastpuddle.com.au

Coverage	Amount	Provider
Professional Indemnity	$5,000,000	CGU (Insurance Australia Limited)
Broadform Liability	$20,000,000	CGU (Insurance Australia Limited)

Policy period: 23 October 2025 to 23 October 2026.

All data is stored in Google Cloud Platform's Sydney region (australia-southeast1). Google Cloud Platform holds SOC 2 and ISO 27001 certifications.

No personal information leaves Australia.

The following compliance documents are available on request:

Contact info@junipa.com.au to request any of these documents.