# Moirai Governance Procurement Brief

Last updated: 8 May 2026

## What Moirai Governance Is

Moirai Governance is governance infrastructure for Australian diagnostic imaging practices using or evaluating clinical AI. It helps a practice maintain evidence-ready records for AI tools, reviews, evidence gaps, incidents, board reporting, and public verification.

Moirai Governance is not intended to diagnose, triage, interpret images, monitor patients, recommend treatment, or replace clinician judgment under its current scope.

## Primary Buyer Job

When an insurer, board, regulator, or medico-legal reviewer asks how the practice governed its AI tools, the practice needs a sealed evidence file rather than scattered documents.

## Core Evidence Surfaces

- AI Risk Register with owner, use case, regulatory status, risk summary, evidence gaps, incident count, and next review.
- Evidence Vault for governance documents, policies, vendor evidence, approval records, and review artefacts.
- Decision Packs with hash-chained event evidence.
- Governance Snapshot and Gap Analysis reports with public-verification metadata.
- Public verifier at `/verify` for report fingerprints and decision-pack chain metadata.

## Security Posture

- Primary governance database and storage are hosted in Sydney, Australia (`ap-southeast-2`) on Supabase managed Postgres.
- Sessions use Supabase Auth with httpOnly cookies.
- App data is scoped by practice-level Row Level Security.
- API routes enforce server-side permission checks.
- Decision-pack events are append-only and hash-chained.
- Public verification returns PHI-excluding metadata only.

## Current Limits

- Moirai Governance itself does not yet hold SOC 2 or ISO 27001 certification.
- Independent penetration testing is planned but not yet complete.
- Product policy prohibits PHI uploads. The product is designed for governance metadata and evidence records, not patient records.
- External certification should not be inferred from Moirai-generated evidence status.

## Sub-Processors

- Supabase: database, authentication, storage.
- Vercel: hosting, edge network, serverless functions.
- Stripe: payment processing and subscription billing.
- Sentry: error tracking and performance monitoring.
- PostHog: product analytics and feature flags.
- Resend: transactional email.
- Anthropic: AI-generated governance content. Patient data must not be sent.

## Documents To Review

- Procurement pack: `/procurement`
- Procurement PDF: `/api/procurement/pack.pdf`
- Data Processing Agreement: `/legal/dpa`
- Privacy Policy: `/privacy`
- Terms of Service: `/terms`
- Buyer sample pack: `/sample-pack`
- Clinical governance buyer page: `/buyers/clinical-governance`
- Insurer buyer page: `/buyers/insurers`
- Trust evidence room: `/trust`
- Public verifier: `/verify`

## Commercial Entry Path

Qualified practices start with the AI Governance Gap Assessment at AUD 4,990 once. The assessment is credited against annual SaaS if the customer signs within 45 days.

Annual plans:

- Growth: AUD 12,000 per year.
- Scale: AUD 36,000 per year.
- Network: AUD 96,000 per year.
- Enterprise: from AUD 180,000 per year.

## Review Contact

Security and procurement requests: security@moirai.health