The safety and security of student and educator personal information is a top priority.
We engage certain third-party service providers that act as subprocessors, supporting the performance, analytics, delivery, communication, and optimisation of the CARS & STARS Online platform. These providers may collect or process information that could reasonably identify individuals, such as IP addresses or user behaviour data. This supports our ability to deliver, maintain and enhance our digital service for our school and system customers.
We follow a strict information security program that includes due diligence of these third-party providers to ensure that:
Any provider accessing or processing personal data does so under binding confidentiality terms and data privacy obligations.
Access to information is limited to what is necessary to perform their role in support of our platform.
All subprocessors meet our internal security standards and comply with applicable laws.
Our education customers remain the owners and controllers of student data. We are responsible for how any subprocessors access and process that data, and ensure it is only used to support and deliver CARS & STARS Online.
Note: Optional service integrations that customers connect using their own accounts, for example a school embedding its own third-party payment provider into a school-managed form, are not our sub-processors. Only providers we engage to support CARS & STARS Online are listed here.
Below is a list of third-party service providers used by CARS & STARS Online, with a summary of what they do and the type of data they collect:
| Service Provider (Subprocessor) | Purpose | Data Collected | Location |
|---|---|---|---|
|
Microsoft Azure (azure.microsoft.com) |
Web hosting and infrastructure services including secure database storage | Name, contact details, gender, year of birth, transaction information, IP addresses, session identifiers, user authentication data, device and browser metadata, access logs | Australia East (Sydney), Australia Southeast (Melbourne) |
|
Google Analytics (google-analytics.com) |
Web analytics | Anonymised IP address, device and browser info, visited pages, session duration, clickstream, location (IP-based) | USA |
|
Google Tag Manager (googletagmanager.com) |
Tag management and analytics loading | Tag events (e.g. page views, button clicks), browser/device metadata, indirectly loads other analytics tools | USA |
|
Azure CDN (cso.azureedge.net) |
Content Delivery Network (for static content) | File access logs (e.g. CSS, images) | Australia, USA |
|
Microsoft Clarity (clarity.ms) |
Session behaviour analytics | Session behaviour analytics. Session replays with input fields masked, click heatmaps, scroll depth, anonymised IP, screen resolution, browser and device info | USA, EU |
|
c.bing.com (Microsoft) (c.bing.com) |
Behavioural telemetry endpoint used by Microsoft Clarity | Anonymised behavioural data (e.g. session ID, click path) | USA |
|
Statcounter (statcounter.com) |
Visitor traffic analysis | Anonymised IP address, visit path, returning visitor tracking, device and browser data, referral source | Ireland (EU), USA |
|
Mailchimp (mailchimp.com) |
Email campaign delivery and analytics | Email address, name (if supplied), engagement metrics (opens, clicks), location (IP-based), device type | USA (Atlanta) |
|
Zendesk (zendesk.com) |
Providing customer support services and managing help centre requests | Name, email address, support messages, account details | Australia / United States |
|
Xero (xero.com/au/) |
Issuing invoices and processing payments made through Xero’s secure payment facility | Name, organisation, email address, billing address, invoice details. CARS & STARS Online does not collect or store credit card information | USA |
|
Shopify (Shopify Inc.) (shopify.com) |
E-commerce storefront for CARS & STARS Online purchases via hb-digital.com.au; | Name, email, billing address, order details; stores order/transaction metadata; checkout pages are hosted by Shopify. | Canada and the United States |
|
eWAY (Global Payments AU) (eway.com.au) |
Card payment gateway used for CARS & STARS Online purchases completed via hb-digital.com.au and/or Xero's payment facility | Name, organisation, email address, billing address, invoice details. Cardholder name, card number, expiry, CVV entered directly into eWAY/Xero’s secure pages; CARS & STARS Online platform does not collect or store credit card information. | Australia |
|
Rackspace US, Inc. (rackspace.com) |
Email delivery service | Name, email address, email content metadata (subject line, recipient, delivery status) | USA |
|
Mailgun Technologies, Inc. (Sinch Email) (mailgun.com) |
Transactional email delivery for service and account communications (e.g. account activation, password resets, system notices, billing/renewal emails) and teacher-initiated sending of student reports to parents/guardians; bounce/complaint handling; optional deliverability events (opens/clicks) if enabled. | Sender/recipient names and email addresses (school staff and parents/guardians); email subject/body; attached student reports (may include student name, class, assessment results); message metadata/headers (timestamps, Message-ID); delivery diagnostics (bounces, complaints); optional engagement events (opens/clicks) if enabled. | US region — data processed/stored by Mailgun in the US per domain/region configuration. |
|
Close (close.com) |
Customer Relationship Management (CRM) | Name, organisation, email address, phone number, notes, communication history | USA |
We regularly review the use and necessity of these providers to ensure continued alignment with privacy obligations and educational standards. If you have any questions or concerns about our use of sub-processors, please contact us at support@hb-digital.com.au.
Comments
0 comments
Please sign in to leave a comment.