Built for trust from day one

All Relay data — including staff profiles, leave requests, and uploaded files — is stored on infrastructure located in Australia (AWS Sydney region). Data does not leave Australia for storage or processing under normal platform operation.

We do not sell, share, or transfer your school's data to third parties for any commercial purpose.

Relay is designed to operate in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Key commitments include:

• Collection: We collect only the personal information necessary to operate the platform — name, contact details, role, and employment-related preferences. We do not collect sensitive identifiers such as tax file numbers or government IDs.
• Use & disclosure: Personal information is used solely to facilitate the matching of relief teachers to leave requests within a school. It is not used for advertising, profiling, or disclosed to unrelated third parties.
• Access & correction: Users can access and update their personal information directly within the platform at any time. Account deletion can be requested in-app.
• Security: Reasonable technical and organisational measures are in place to protect personal information from unauthorised access, disclosure, or loss.
• Cross-border disclosure: Personal data is not transferred outside Australia.

Access within Relay is strictly role-based. Every user is assigned one of three roles when they join, and the platform enforces what each role can see and do — not just at the application layer, but at the database level.

Each school's data is fully isolated at the database level. This isolation is enforced through Row Level Security (RLS) policies built directly into the database — meaning even a software bug in the application layer cannot expose one school's data to another.

Relay is built with reference to the OWASP Top 10 — the industry-standard framework for web application security risks. Specific mitigations include:

• Encryption in transit: All communication between users and Relay is encrypted using TLS. Unencrypted HTTP connections are not accepted.
• Encryption at rest: All data stored in the database and file storage is encrypted at rest by the underlying infrastructure.
• Parameterised queries: All database interactions use parameterised queries via a managed client library, eliminating SQL injection risk.
• Input validation: All data submitted to the platform is validated server-side against strict schemas before any database operation is performed.
• Session security: Authentication sessions are managed using short-lived, cryptographically signed tokens stored in secure, httpOnly cookies — not in browser storage accessible to scripts.
• Multi-factor authentication: Platform-level administrator access requires TOTP-based two-factor authentication, enforced at the API level.

Teachers can attach lesson plans to leave requests. Uploaded files are accepted in PDF, Word document, and image formats, with a maximum size of 10 MB per file. Files are stored in isolated, access-controlled storage — they are not publicly accessible and require an authenticated session to retrieve.

Users can update their personal information at any time from within the platform. Relief teachers can request account deletion directly from their preferences page. All deletion requests result in the permanent removal of personal information from the platform.