RollCall
ISO/IEC 27001 Certified

Student safety data deserves serious protection.

RollCall runs on an ISO 27001-certified information security management system, hosted in Australia on AWS, and independently audited, so schools and operators can rely on us with confidence.

Get a QuoteVerify our certificate
ISO/IEC 27001:2022 certified by Equal Assurance
Independently certified

ISO/IEC 27001:2022

Information Security Management Systems
Certificate number
RLLQ01-CCER01
Certifying body
Equal Assurance (JAS-ANZ)
Scope
the design, development, maintenance and support of RollCall's Duty of Care and Route Planning applications
Validity
9 October 2024 to 19 September 2027
Register
Public and verifiable
Verify on the Equal Assurance register
ISO 27001
Certified ISMS
AWS Sydney
Cloud infrastructure
Australian-hosted
Data stays onshore
SSL Labs A+
Encrypted in transit
WWCC vetted
Every team member
How your data is protected

Secure by design, end to end

Every tap a student makes travels through a hardened, encrypted path, from the bus, across a real-time channel, into a resilient Australian cloud, and out to the people who need it. Here is what that path looks like.

AWS Cloud · Sydney Region (ap-southeast-2)
01 · Capture
On the bus
Driver app
NFC tap-on / tap-off
Each scan is signed on-device and queued, even with patchy mobile coverage.
TLS 1.2+ encryption
Encrypted in transit
Data is encrypted every time it leaves the device. SSL Labs Grade A+.
02 · Edge
Protected perimeter
CloudFront CDN
Global edge delivery
Fast wherever you are, with auto-renewing certificates so encryption never lapses.
Web application firewall
AWS WAF
Filters out malicious traffic before it ever reaches our servers.
03 · Process
Real-time core
Live channel
AppSync · IoT Core
A dedicated real-time channel pushes each scan the moment it happens.
Compute
Fargate · Lambda
A private network, walled off from the public internet. Scales to 10,000s of scans a minute.
04 · Deliver
Stored and surfaced
Aurora RDS
Managed · multi-AZ
Managed, replicated and automatically backed up. A standby takes over on failure.
Admins and parents
Role-based access
The right people see the right data the moment it happens, and nothing more.
Availability Zone AAvailability Zone BAvailability Zone CPhysically separate data centres. If one has a problem, the others keep RollCall running.
Encrypted in transitEvery hop between device, app and database is encrypted, holding an SSL Labs A+.
Continuous monitoringWatched around the clock, and every code change is scanned before it ships.
Built to be there at 7amAuto-scales when the buses roll, across 100M+ student scans.
Security and data protection

How we protect your data, day to day

RollCall treats the safety data you entrust to us with the care it deserves: children's locations, times and routes. Here is what that looks like in practice.

Australian hosting and resilience

Your data runs on AWS in the Sydney region and never leaves it, governed by Australian law. We run across multiple, physically separate availability zones, so one data centre failing cannot take RollCall down.

Encryption and network protection

Data is encrypted every time it moves between a device, the app and our servers, holding an SSL Labs Grade A+. A web application firewall filters malicious traffic, and our servers sit inside a private network.

Testing and monitoring

We do not wait to be told about a problem. RollCall is watched continuously, and every month security specialists run a full penetration test, actively trying to break in so we can fix what they find.

Access and governance

Access follows least privilege: people reach only what their role requires, every account is individual, and every access is logged. Our Information Security Steering Committee reviews these controls every month.

People you can trust

Security is not only technical. Everyone who works on RollCall is vetted with a Working With Children Check and reference checks before they start, because the data we hold is about children.

Ready if it ever matters

If a breach ever occurred, we have a documented incident-response process ready to follow, and qualified third parties assess us independently, so nothing rests on a single person's memory.

AWS Asia Pacific (Sydney)
Region · ap-southeast-2
AZ aAZ bAZ c
Asia-Pacific schoolsAWS data centre · Sydney (3 AZs)
Where your data lives

Your data never leaves Australia

Wherever a school sits, across Australia, New Zealand and the wider Asia-Pacific, its data is processed and stored in our AWS Sydney region, the same cloud platform trusted by banks, government agencies and hospitals, and governed by Australian law.

  • Sydney region, and nowhere elseData is stored in ap-southeast-2 and never replicated offshore.
  • Multiple availability zonesSeparate data centres in different locations keep you running through any single failure.
  • Managed, replicated, backed upDatabases are copied across zones and backed up automatically. A standby takes over if one has a problem.
Tested every month

We try to break in, before anyone else can

Certification is a floor, not a finish line. RollCall is probed, scanned and reviewed on a relentless monthly cadence, and audited independently across a three-year cycle.

  • 01
    Monthly penetration testingSecurity specialists actively attempt to break in, so we can fix what they find before anyone else does.
  • 02
    Continuous threat monitoringRollCall is watched around the clock. We do not wait to be told about a problem.
  • 03
    Every code change scannedAutomated checks for known vulnerabilities run on every change before it ships.
  • 04
    Monthly committee reviewOur Information Security Steering Committee reviews controls and policy every single month.
Monthly
Full penetration test

An accredited, independent auditor re-checks us across a three-year cycle. Our certificate sits on a public register you can verify yourself.

24/7Monitoring
3-yrAudit cycle
A+SSL Labs
Integration partners

Connected to the systems schools already run

RollCall integrates directly with the major student information and payment systems used across Australia and New Zealand, and reaches the long tail through Wonde.

SIS / LMS, direct integrationsReal-time, two-way sync
TASS
Sentral
Veracross
Compass
FACTS
Everyone else, via Wonde100s more SIS providers
WondeIntegration broker
SynergeticEdumateSEQTAEngageMazeCivica+ many more
PaymentsFees and bus passes
Stripe
PayPal
Sticitt
Westpac PayWay
NAB
Single sign-on via SAML connects RollCall to virtually any identity provider, so staff sign in with the credentials they already use.
Microsoft 365Google WorkspacePIPs by K12 Solutions
Trusted across ANZ

Relied on every school day

Schools and operators across Australia and New Zealand put student safety first with RollCall.

400+
Schools across ANZ
100M+
Student scans
99.9%
Platform uptime
Documentation

Download our certifications and compliance

Review the standards we hold ourselves to. Everything below is current and ready to share with your IT, procurement or risk team.

Certification and compliance4 documents

PDFCertificate of ConfidenceOur certificate of confidence covering RollCall's approach to information security and the protection of student safety data.PDFISO 27001 ISMS CertificateIndependent certification of RollCall's information security management system against the ISO 27001 standard.PDFCompleted Compliance ChecklistRollCall's own completed cyber-security compliance checklist, documenting the controls we have in place.PDFSupplier Cyber-Security ChecklistA software-evaluation cyber-security checklist you can use to assess RollCall and other suppliers against a consistent set of criteria.

Case studies2 documents

PDFKardinia International College Case StudyHow Kardinia International College uses RollCall to fulfil its duty of care and improve school transport safety.PDFPinehurst School Case StudyHow Pinehurst School implemented RollCall to give staff and parents confidence over student travel.

Rely on us with confidence

Book a free 45-minute demo and see how RollCall keeps student safety data, and every student, protected from 7am when the buses roll.

Book a Free 45min DemoGet a Quote