Skip to main content
HealthOS
Trust

Security & data residency

Effective 20 May 2026. This page is provided for transparency on our public website; your organisation's subscription agreement governs product use.

Security approach

HealthOS is designed for Australian health, disability, and aged care providers. We apply defence-in-depth: tenant isolation by organisation, encrypted clinical fields at rest, role-based access, audit logging, and Australian data residency.

Hosting and residency

Production workloads run in Australia (ap-southeast-2 primary, ap-southeast-4 disaster recovery). Organisations read timezone, currency, and locale from their own record — not from hardcoded defaults.

Authentication and access

Staff access uses modern session-based authentication. Support workers use mobile-only access; sensitive clinical content is restricted by role and program. Representative permissions for family portals are granular, not all-or-nothing.

AI and external services

HealthOS Intelligence uses governed prompts with human review before participant-facing publication. Clinical note bodies and certain encrypted fields are not sent to external AI APIs. Usage is logged for audit and billing.

Vulnerability disclosure

If you believe you have found a security issue, contact HealthOS through the sales phone or demo request form on this site with enough detail for us to reproduce the issue. Please allow reasonable time for remediation before public disclosure.

Compliance alignment

Customers remain responsible for their regulatory obligations (NDIS Practice Standards, Aged Care Quality Standards, Privacy Act, etc.). HealthOS provides tooling and evidence exports; certification of your organisation is your responsibility.

For procurement & quality teams

Request the HealthOS Trust Pack

One document covering security architecture, data residency (AWS Sydney primary, Melbourne disaster recovery), Essential Eight ML2 control mapping, AI governance and pseudonymisation, restrictive-practice audit semantics, vulnerability disclosure programme, and the upcoming SOC 2 Type 1 audit timeline. The same document procurement officers and Quality Managers ask for before approving a healthcare software change.

  • Australian data residency evidence (Sydney + Melbourne DR)
  • Essential Eight ML2 control mapping
  • AI governance & pseudonymisation framework
  • Restrictive-practice insert-only data semantics
  • SOC 2 Type 1 audit timeline (Q4 2026)
  • Vulnerability disclosure programme
Request the Trust PackAbout HealthOS

Delivered as PDF within one business day. We update the Trust Pack quarterly and on material control or certification changes.