Trust Center
Security you can verify
Security architecture, data handling, sub-processors, and documentation. Transparent and always up to date. See /standards for clinical regulatory mapping.
AES-256
Encryption
99.9%
Uptime SLA
Australia
Data Residency
72 hrs
Breach Notice
No PHI stored or processed
Moirai tracks governance metadata, not patient data. No Protected Health Information enters the platform.
Regulatory mapping
Built to organise evidence against Australian healthcare obligations, with a clear path to independent security certifications.
Australian Privacy Act 1988
OAIC APP Guidelines
RANZCR Ch. 9 Aligned
AHPRA AI guidance
TGA SaMD requirements
Safety & Quality Commission AI Clinical Use Guide
NIST Cybersecurity Framework
ISO 27001
Recognised standards
RANZCR
TGA
AHPRA
NHMRC
NATASecurity controls
Every layer of the Moirai stack is designed with security as a constraint, not an afterthought.
Encryption
- AES-256 encryption at rest
- TLS 1.3 in transit
- Encrypted automated backups
- Key rotation and management
Data Residency
- Primary data in Sydney (ap-southeast-2)
- Supabase managed Postgres in AU
- Australian Privacy Act jurisdiction
- No transfer outside AU without consent
Access Control
- Row Level Security on all tables
- Practice-scoped data isolation
- Cookie-based auth sessions
- Role-based access control (RBAC)
Infrastructure
- Vercel edge network with global CDN
- Supabase managed Postgres with HA
- Automated daily backups with PITR
- DDoS protection and WAF
Incident Response
- 24-hour incident response SLA
- 72-hour NDB breach notification
- Dedicated security response team
- Post-incident review and disclosure
Business Continuity
- Multi-region edge deployment
- Automated failover
- Point-in-time recovery (PITR)
- Regular disaster recovery testing
Data handling
Your governance data stays under your control. We store only what is needed and give you full export and deletion capabilities.
Data residency
All governance data stored in Sydney, Australia (ap-southeast-2). Full Australian jurisdictional control.
Data portability
Full export of your data in JSON and CSV formats at any time. Your data is yours.
Data retention
Configurable retention policies. Data preserved for 30 days after account cancellation.
No third-party sharing
Your governance data is never shared with third parties beyond essential service providers listed below.
Sub-processors
A transparent list of third-party services that process data on behalf of your practice.
| Provider | Purpose |
|---|---|
 Supabase | Database, authentication, storage |
 Vercel | Hosting, edge network, serverless functions |
 Stripe | Payment processing, subscription billing |
Sentry | Error tracking, performance monitoring |
PostHog | Product analytics, feature flags |
Resend | Transactional email delivery |
 Anthropic | AI-generated governance content (no patient data sent) |
Documents & reports
Security documentation for your due diligence review. Available documents can be accessed directly; others are available on request.
Available
Data Processing Agreement
Covers data handling, sub-processors, breach notification, and data subject rights.
View documentAvailable
Privacy Policy
How we collect, use, and protect your information under Australian privacy law.
View documentAvailable
Terms of Service
Service terms, acceptable use, liability, and dispute resolution.
View documentQ3 2026
Security Whitepaper
Detailed breakdown of our security architecture, controls, and practices.
Request access
Penetration Test Summary
Third-party penetration testing results and remediation summary.
Request accessRequest access
Security Questionnaire
Pre-filled SIG Lite, CAIQ, and custom security questionnaire responses.
Request accessUptime & SLA
Built on infrastructure trusted by millions of production applications.
99.9%
Uptime SLA
- Vercel edge network with global CDN
- Supabase managed Postgres with HA
- Automated failover and PITR backups
- 24/7 infrastructure monitoring
All systems operational
Real-time status monitoring
View current system status, historical uptime, and subscribe to incident notifications on our status page.
Visit status pageInfrastructure powered by
VercelSupabaseStripeAnthropicResponsible disclosure
Found a vulnerability? We take security reports seriously and respond to every submission. Please disclose responsibly by emailing our security team directly.
security@moirai.healthFrequently asked questions
Common questions from security and compliance teams during vendor review.
Does Moirai store patient data?
No. Moirai tracks governance metadata only. Which AI tools are used, who approved them, what policies are in place, and how decisions were documented. No Protected Health Information (PHI) enters the platform.
Where is my data stored?
All governance data is stored in Sydney, Australia (ap-southeast-2) on Supabase managed Postgres. Your data stays under Australian jurisdictional control at all times.
Can I export my data?
Yes. You can export your complete governance dataset in JSON and CSV formats at any time from the Settings page. Your data is yours.
How do you handle security incidents?
We maintain a 24-hour incident response SLA. Under the Notifiable Data Breaches scheme, affected practices are notified within 72 hours. Every incident is followed by a post-incident review and disclosure.
Do you have a Data Processing Agreement?
Yes. Our DPA covers data handling, sub-processors, breach notification, international transfers, data subject rights, and audit provisions. It's available at moirai.health/legal/dpa.
What certifications do you have?
Moirai is designed to support obligations under the Australian Privacy Act 1988 and OAIC Australian Privacy Principles. Clinical AI governance evidence is mapped against RANZCR Chapter 9, Ahpra AI guidance, TGA SaMD requirements, and the Safety & Quality Commission AI Clinical Use Guide. NIST CSF and ISO 27001 are on our roadmap.
Get the full security pack
Security questionnaire responses, penetration test summary, architecture diagrams. Or schedule a call with our team.