Security
Security at Moirai
Healthcare-grade infrastructure for governance data. Built for Australian healthcare from day one, with encryption, data residency, and access controls that meet the bar your practice demands.
256-bit
Encryption
99.9%
Uptime SLA
Australia
Data residency
SOC 2 ready
Assurance
No PHI stored or processed
Moirai tracks governance metadata — not patient data. No Protected Health Information enters the platform.
How we protect your data
Every layer of the Moirai stack is designed with security as a constraint, not an afterthought.
Encryption
All data is encrypted at rest and in transit. Backups are encrypted with separate key management to ensure defence in depth.
- AES-256 encryption at rest
- TLS 1.3 for all data in transit
- Encrypted automated backups
- Key rotation and management
Data Residency
Your governance data stays in Australia. Primary infrastructure runs in the Sydney region with full Australian jurisdictional control.
- Primary data in Sydney (ap-southeast-2)
- Supabase managed Postgres in AU
- Australian Privacy Act jurisdiction
- No data transfer outside AU without consent
Access Control
Every query is scoped to your practice. Row Level Security ensures complete data isolation between organisations at the database level.
- Row Level Security (RLS) on all tables
- Practice-scoped data isolation
- Supabase Auth with cookie-based sessions
- Role-based access control (RBAC)
Infrastructure
Built on battle-tested managed infrastructure with automated failover, backups, and protection against common attack vectors.
- Vercel edge network with global CDN
- Supabase managed Postgres with HA
- Automated daily backups with PITR
- DDoS protection and WAF
Assurance
Moirai is designed to support Australian healthcare governance obligations. Formal security certifications remain on the roadmap.
- Designed with SOC 2 principles
- Mapped to Australian Privacy Act obligations
- CAIOS-aligned governance controls
- Third-party security audits on the roadmap
Incident Response
A documented incident response plan with clear escalation paths. We notify affected practices within 72 hours per the Notifiable Data Breaches scheme.
- 24-hour incident response SLA
- NDB scheme: 72-hour breach notification
- Dedicated security response team
- Post-incident review and disclosure
Data handling
Your governance data stays under your control. We store only what is needed and give you full export and deletion capabilities.
Data residency
All governance data stored in Sydney, Australia (ap-southeast-2). Full Australian jurisdictional control.
Data portability
Full export of your data in JSON and CSV formats at any time. Your data is yours.
Data retention
Configurable retention policies. Data preserved for 30 days after account cancellation.
No third-party sharing
Your governance data is never shared with third parties beyond essential service providers listed below.
Sub-processors
A transparent list of third-party services that process data on behalf of your practice.
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, storage |
| Vercel | Hosting, edge network, serverless functions |
| Stripe | Payment processing, subscription billing |
| Sentry | Error tracking, performance monitoring |
| PostHog | Product analytics, feature flags |
| Resend | Transactional email delivery |
| Anthropic | AI-generated governance content (no patient data sent) |
Regulatory mapping
Built to organise evidence against Australian healthcare obligations with a clear path to independent security certifications.
Australian Privacy Act 1988
OAIC APP Guidelines
CAIOS Framework
RANZCR Ch. 9 Aligned
SOC 2 Type II
ISO 27001
Built on
Next.js
Supabase
Vercel
Anthropic
StripeResponsible disclosure
Found a vulnerability? We take security reports seriously and respond to every submission. Please disclose responsibly by emailing our security team directly.
security@moirai.healthTalk to us about security.
Our team is ready to walk through our security posture, provide documentation, or discuss custom requirements for your practice.