Enterprise-grade. Hosted in your jurisdiction.
Built with the seriousness a medical platform demands. Compliance, sovereignty, and uptime aren't features — they're the floor.
Patient data does not
leave its jurisdiction.
Australian clinics are hosted in AWS Sydney (ap-southeast-2). United States clinics in
us-east-1. UK clinics in AWS Ireland. The choice of region is made at clinic
provisioning and cannot be moved without an explicit data-migration request from the customer.
When we run vendor processors (telephony carriers, payment processors), they are bound by contract to the same residency requirement. We will not engage a vendor that cannot meet the customer's jurisdiction.
See our Privacy Policy for the detailed APP statement.
The frameworks we operate against.
Australian Privacy Act 1988 (Cth) — including the Australian Privacy Principles and the Notifiable Data Breaches scheme.
HIPAA — for customers in the United States. Business Associate Agreements signed before any covered data is processed.
UK GDPR / EU GDPR — for customers in the UK and EU, with Standard Contractual Clauses where applicable.
ISO 27001 — audit in progress; targeted Q4 2026.
SOC 2 Type II — observation period began Q2 2026; report targeted Q1 2027.
The floor, in specifics.
Encryption
In transit and at rest
TLS 1.2+ for all network traffic. AES-256 for data at rest. No data leaves a managed boundary without encryption.
Access control
Least privilege by default
Role-based access; MFA enforced on every administrative account. Audit log of every access and every change.
Network
Private by default
Services run in private subnets. Public endpoints are limited, rate-limited and WAF-protected.
Monitoring
Continuous and reviewed
Logging, anomaly detection, and on-call response. Security review of operational events at least weekly.
Backup & recovery
Tested, not assumed
Encrypted backups with point-in-time recovery. Restoration tested quarterly against the runbook.
Vulnerability management
Patch, scan, test
Automated dependency scanning, infrastructure scanning, and annual independent penetration testing.
What happens if something goes wrong.
We run a documented incident response playbook with on-call coverage. If a notifiable data breach occurs, we notify the affected clinic within 24 hours and meet the obligations of Part IIIC of the Privacy Act 1988 (Cth) for notification to affected individuals and to the OAIC.
Customers can report a security concern through our contact form. Responsible disclosure: see the policy in the response we send.
Join us in building the triage layer
modern healthcare deserves.
Book a 30-minute demo with a clinical engineer. We'll walk through TriageVoice, TriageChat, and TriageFlow with your call data and answer everything compliance-related upfront.