Renewable Energy Engineering Simulation
6 terrain types from coastal waters to arid desert, each affecting your energy output differently
Weather storms, regulatory changes and terrain shifts keep every round unpredictable
Configure your budget, difficulty, round count and scenario modifiers before every simulation
Multi-factor scoring across energy output, demand satisfaction, budget and sustainability
Configure budget, difficulty, round count and scenario modifiers
Place energy assets across terrain zones to maximise power output
Watch your decisions play out across dynamic rounds with live events
A renewable energy engineering simulation platform developed for academic and professional training in sustainable infrastructure planning.
Power Pioneers was commissioned by Vanko Group / RPL Group as part of an academic engineering project. It simulates real-world challenges faced by renewable energy project leads - terrain constraints, weather volatility, grid infrastructure, and budget management.
This project demonstrates systems integration across full-stack web development, relational database design, and simulation modelling. Submitted as part of an engineering degree programme assessed by Vanko Group / RPL Group.
Power Pioneers is committed to protecting your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
This policy explains what personal information Power Pioneers collects, how it is used, who it is shared with, how it is protected, and the rights you have over your data. Power Pioneers is operated as an engineering project commissioned by Vanko Group. By creating an account or using the platform, you consent to the practices described below.
Username, email address, and password (stored only as a one-way bcrypt hash - never in plain text). Optional role designation (student / admin).
Simulation sessions, asset placements, zone connections, terrain selections, round outcomes, scores, and timestamps. This data exists to power the leaderboard, progress tracking, and your personal history.
IP address, browser type, device type, and timestamps of access - collected automatically by AWS CloudFront and CloudWatch logs for security and operational monitoring.
If you submit the contact form, we collect the name, email, and message you provide. This is delivered to our admin inbox via Amazon SES for the sole purpose of responding to your enquiry.
Your account data and gameplay records let you log in, resume sessions, view your scores, and appear on the leaderboard. Without this data the platform cannot function.
Technical data (IP, request logs) is used to detect abuse, throttle malicious traffic via AWS WAF, and investigate security incidents. Retention of these logs is limited to what is required for incident response.
Anonymised, aggregate statistics (e.g. total games played, average score, asset deployment patterns) may be used to improve the platform. Individuals are never identifiable in aggregate analytics.
Contact form submissions are used solely to reply to your message. We do not use them for marketing, profiling, or onward disclosure.
Data is hosted on Amazon Web Services infrastructure (Sydney region - ap-southeast-2). AWS acts as a data processor under our control. No data leaves AWS-controlled regions without an APP 8 cross-border assessment.
Weather data is fetched from the Open-Meteo public API. Only generic geographic coordinates are sent - no user identifiers, no account data, no IP-linked requests.
We do not sell, rent, or share personal information with advertisers, data brokers, or any party outside the operational service providers listed in this policy.
You may request a copy of the personal information we hold about you at any time, free of charge, by emailing the address below.
If any data we hold about you is inaccurate, outdated, or incomplete, you may request that we correct it. Updates are applied within 30 days of a verified request.
You may request deletion of your account and associated gameplay data. Anonymised aggregate statistics may be retained where individual identity has been irreversibly removed.
If you believe we have breached the APPs, you may complain to us directly, and escalate unresolved complaints to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Account and gameplay data is retained while your account remains active and for up to 12 months after deletion, after which it is permanently removed from primary databases and backups. Security logs are retained for up to 90 days. Contact form messages are retained only as long as required to resolve the enquiry.
All data is encrypted in transit (TLS 1.3) and at rest (AES-256 via AWS RDS / S3). Passwords are stored as bcrypt hashes only. The application sits behind AWS WAF and AWS Shield Standard. For full technical detail, see the Cyber Security page.
For any privacy-related request - access, correction, deletion, or complaint - email admin.powerpioneers@gmail.com. We will acknowledge your request within 7 business days and respond substantively within 30 days.
Power Pioneers is engineered with a multi-layered security posture spanning network, application, data, identity, and monitoring controls - built on AWS managed services.
We operate under a defence-in-depth model: no single control is trusted to secure the platform. Network, application, data, and identity layers each enforce independent protections, so the compromise of any one layer does not cascade. Where AWS managed services provide a hardened, audited primitive (WAF, KMS, IAM, RDS encryption), we prefer them over self-managed equivalents.
All inbound traffic passes through AWS WAF with managed rule sets for the OWASP Top 10 - SQL injection, XSS, command injection, path traversal, and known-bad bot signatures are blocked at the edge before reaching the application.
AWS Shield Standard provides always-on DDoS mitigation at the network and transport layers, absorbing volumetric attacks before they reach application infrastructure.
Static assets served via Amazon CloudFront with origin shielding. The origin server is not directly internet-accessible - only CloudFront's signed-edge fingerprint can reach it.
WAF rate-based rules cap requests per source IP. Sensitive endpoints (login, registration, contact form) carry tighter per-route limits to defeat credential stuffing and form abuse.
TLS 1.3 enforced end-to-end via AWS Certificate Manager (ACM). HSTS headers prevent protocol downgrade. No HTTP fallback is exposed.
Every server endpoint validates payload shape, type, and length before touching the database. Parameterised SQL queries eliminate injection vectors regardless of input.
Passwords are hashed with bcrypt (cost factor 12) before storage. Plain-text passwords never persist anywhere - not in logs, not in memory beyond the request, not in backups.
Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are applied to all responses, blocking clickjacking, MIME sniffing, and information leakage.
The MySQL database runs on Amazon RDS with AES-256 encryption at rest via AWS KMS. Encryption keys are rotated annually. Database snapshots, automated backups, and read replicas inherit the same encryption. S3 buckets storing assets use SSE-KMS.
TLS 1.3 with strong cipher suites enforced for every external connection. Internal AWS-to-AWS traffic (app → RDS, app → SES) is encrypted using AWS-managed certificates inside the VPC.
Database credentials, API keys, and SES credentials are stored in AWS Secrets Manager and injected at runtime. No long-lived secrets exist in the codebase, .env files, or container images.
Automated daily RDS backups with 7-day point-in-time recovery. Backups are encrypted and stored in a separate AWS account to protect against accidental deletion or ransomware-style attacks on primary infrastructure.
Application services authenticate to AWS using IAM roles, not long-lived access keys. Temporary credentials are rotated automatically every few hours by AWS STS.
Every IAM policy follows the principle of least privilege - services receive the narrowest possible permission set, scoped to specific resources and actions.
All administrative access to the AWS console and infrastructure requires multi-factor authentication. Root credentials are sealed and used only for break-glass scenarios.
User sessions are signed, time-limited, and invalidated on logout or password change. Session tokens are stored with HttpOnly, Secure, and SameSite=Lax flags.
Every API call against AWS resources is logged to CloudTrail and retained for audit. Unauthorised or anomalous actions trigger automated alerts.
Application logs, request rates, error rates, and resource utilisation stream into CloudWatch. Threshold alarms page the on-call operator for anomalies in real time.
Amazon GuardDuty continuously analyses VPC flow logs, DNS logs, and CloudTrail for known threat patterns - port scans, crypto-mining, credential exfiltration, and known-bad IPs.
Documented runbooks govern containment, eradication, and recovery for credential compromise, data exposure, and DDoS events. Post-incident review feeds back into hardening.
If you discover a security vulnerability, please report it privately to admin.powerpioneers@gmail.com before disclosing it publicly. We commit to acknowledging your report within 72 hours and providing a remediation timeline. Researchers acting in good faith will not be subject to legal action.