Student safety data deserves serious protection.
Trusted by more than 300 schools and bus operators, RollCall runs on an ISO 27001-certified information security management system, hosted in Australia on AWS and independently audited, so schools and operators can rely on us with confidence.
Last reviewed: 4 July 2026

ISO/IEC 27001:2022
- Certificate number
- 2024-14922
- Certifying body
- Sustainable Certification (JAS-ANZ)
- Scope
- the design, development, maintenance and support of RollCall's Duty of Care and Route Planning applications
- Validity
- 9 October 2024 to 19 September 2027
- Register
- Public and verifiable
Secure by design, end to end
Every tap a student makes travels through a hardened, encrypted path, from the bus, across a real-time channel, into a resilient Australian cloud, and out to the people who need it. Here is what that path looks like.
How we protect your data, day to day
RollCall treats the safety data you entrust to us with the care it deserves: children's locations, times and routes. Here is what that looks like in practice.
Australian hosting and resilience
Your data runs on AWS in the Sydney region and never leaves it, governed by Australian law. We run across multiple, physically separate availability zones, so one data centre failing cannot take RollCall down.
Encryption and network protection
Data is encrypted every time it moves between a device, the app and our servers, holding an SSL Labs Grade A+. A web application firewall filters malicious traffic, and our servers sit inside a private network.
Testing and monitoring
We do not wait to be told about a problem. RollCall is watched continuously, and every month security specialists run a full penetration test, actively trying to break in so we can fix what they find.
Access and governance
Access follows least privilege: people reach only what their role requires, every account is individual, and every access is logged. Our Information Security Steering Committee reviews these controls every month.
People you can trust
Security is not only technical. Everyone who works on RollCall is vetted with a Working With Children Check and reference checks before they start, because the data we hold is about children.
Ready if it ever matters
If a breach ever occurred, we have a documented incident-response process ready to follow, and qualified third parties assess us independently, so nothing rests on a single person's memory.
Asia-Pacific region. Data is processed in AWS Sydney.
Your data never leaves Australia
Wherever a school sits, across Australia, New Zealand and the wider Asia-Pacific, its data is processed and stored in our AWS Sydney region, the same cloud platform trusted by banks, government agencies and hospitals, and governed by Australian law.
- Sydney region, and nowhere elseData is stored in ap-southeast-2 and never replicated offshore.
- Multiple availability zonesSeparate data centres in different locations keep you running through any single failure.
- Managed, replicated, backed upDatabases are copied across zones and backed up automatically. A standby takes over if one has a problem.
We try to break in, before anyone else can
Certification is a floor, not a finish line. RollCall is probed, scanned and reviewed on a relentless monthly cadence, and audited independently across a three-year cycle.
- 01Monthly penetration testingSecurity specialists actively attempt to break in, so we can fix what they find before anyone else does.
- 02Continuous threat monitoringRollCall is watched around the clock. We do not wait to be told about a problem.
- 03Every code change scannedAutomated checks for known vulnerabilities run on every change before it ships.
- 04Monthly committee reviewOur Information Security Steering Committee reviews controls and policy every single month.
An accredited, independent auditor re-checks us across a three-year cycle. Our certificate sits on a public register you can verify yourself.
Independently penetration tested, findings resolved on the clock
RollCall's security is verified by parties who do not work for us. Independent testers try to break in, an accredited body audits our ISMS, and we hold ourselves to published response windows for anything they find.

A recent independent penetration test by Borderless CS returned no critical findings. The identified highs were resolved within the mandated two-week window, and mediums and lows within one month.
Independent penetration testing by Borderless CS
Our response-window commitments
When testing raises a finding, we commit to resolving it inside these windows, by severity.
- High severityResolved within 2 weeks
- Medium severityResolved within 1 month
- Low severityResolved within 1 month
ST4S approved in Victoria
RollCall is approved under Safer Technologies 4 Schools (ST4S) in Victoria, the framework that helps schools choose technology providers that meet a consistent security and privacy bar. National accreditation is in progress.
Connected to the systems schools already run
RollCall integrates directly with the major student information and payment systems used across Australia and New Zealand, and reaches the long tail through Wonde.
Relied on every school day
Schools and operators across Australia and New Zealand put student safety first with RollCall.
Sources: AWS production analytics; RollCall customer records; RollCall company records; AWS CloudWatch. Last reviewed 3 July 2026
Download our certifications and compliance
Review the standards we hold ourselves to. Everything below is current and ready to share with your IT, procurement or risk team.
Certification and compliance3 documents
Case studies2 documents
Questions IT and procurement teams ask
The security and compliance questions we hear most often from evaluators. Need something not covered here? Ask us and we'll answer in writing.
Rely on us with confidence
Book a free 45-minute demo and see how RollCall keeps student safety data, and every student, protected from 7am when the buses roll.
