Security
Last updated: May 2026
Data Protection
- Encryption in transit using HTTPS/TLS.
- Encryption at rest for production data stores.
- Application-level encryption for sensitive participant notes, goals, NDIS numbers, admin notes, and document metadata.
- Private document storage with authenticated access.
- Business-scoped access controls to help keep provider data separated.
- Sensitive request logging controls for participant and case note data.
Account Security
- Managed authentication for identity and session handling.
- Self-serve multi-factor authentication support for users.
- Role-based permissions for users, clients, service streams, and documents.
- Rate limiting on authentication, API, mutation, and upload flows.
Monitoring And Response
- Audit events for sensitive record access and administrative actions.
- Security event logging for failed access and rate limit violations.
- Incident response and eligible data breach assessment processes.
- Backup and restore practices for production data.