Trust Center
Evidence room. Security control plane.
Vendor review without the scavenger hunt. This page shows the current security posture, data boundary, buyer documents, public verifier path, and the limits Moirai will not overclaim.
Posture reviewed 12 May 2026·Next review 12 June 2026
Security Control Plane
Current trust state
No PHI boundary
01Posture
Limits declared
02DPA
Terms inspectable
03Sample file
Evidence visible
04Verifier
Hash checkable
Public verifier
Hash and report metadata can be checked without exposing patient data.
Limits ledger
SOC 2
Not certified yetMoirai does not yet hold SOC 2 or ISO 27001 certification. Vendor infrastructure controls are documented, but Moirai's own control audit is still on the roadmap.
Penetration testing
PlannedIndependent penetration testing is not yet complete. A summary will be available to qualified buyers after the first external test and remediation pass.
Patient data
ProhibitedProduct policy prohibits PHI uploads. The platform is designed for governance metadata, evidence references, policies, approvals, and audit records.
Inspect and verify
Inspect the synthetic follow-up evidence, then test the public verification path before a founder call.
01
Data Processing Agreement
Data handling, sub-processors, breach notification, international transfers, and audit provisions.
Open DPA02
Follow-up preview
Synthetic follow-up evidence record, verification snapshot, and source-to-status proof trail.
Inspect preview03
Public verifier
No-auth verification endpoint for report fingerprints and PHI-safe chain metadata.
Open verifierPosture ledger
What is not certified yet
The useful version of trust is specific. These are the current limits a buyer should understand before procurement.
SOC 2
Not certified yet
Moirai does not yet hold SOC 2 or ISO 27001 certification. Vendor infrastructure controls are documented, but Moirai's own control audit is still on the roadmap.
Penetration testing
Planned
Independent penetration testing is not yet complete. A summary will be available to qualified buyers after the first external test and remediation pass.
Medical-device scope
Out of scope
Moirai is governance infrastructure. It does not diagnose, triage, interpret images, process medical images, recommend treatment, or replace clinician judgment.
Patient data
Prohibited
Product policy prohibits PHI uploads. The platform is designed for governance metadata, evidence references, policies, approvals, and audit records.
Assurance sequence
Security roadmap
The order matters: publish the current posture first, then add independent evidence as the commercial risk justifies it.
Now
Evidence-room baseline
Publish current controls, data boundaries, sub-processors, DPA, privacy terms, incident-response process, and explicit certification limits.
Next
Independent penetration test
Commission third-party penetration testing, remediate findings, and make an executive summary available under NDA.
After paid pilots
SOC 2 readiness
Formalise access reviews, vendor review cadence, change management evidence, incident drills, and control-owner accountability.
Scale stage
ISO 27001 scoping
Scope the information security management system once customer volume and enterprise procurement demand justify the audit cost.
AES-256
Encryption
99.9%
Uptime Target
Australia
Data Residency
<30d
NDB Assessment
PHI prohibited by product policy
Product policy prohibits PHI uploads. The platform is designed for governance metadata, evidence references, policies, approvals, and audit records.
Regulatory mapping
Built to organise evidence against Australian healthcare obligations, with a clear path to independent security certifications.
Australian Privacy Act 1988
MappedOAIC APP Guidelines
MappedRANZCR Ch.9 mapped
MappedAhpra AI guidance
MappedTGA medical software guidance
MappedACSQHC AI guidance
MappedNIST Cybersecurity Framework
ISO 27001
External references
Mapped to current guidance · No endorsement claimed
Security controls
Every layer of the Moirai stack is designed with security as a constraint, not an afterthought.
Encryption
- AES-256 encryption at rest
- TLS 1.3 in transit
- Encrypted automated backups
- Key rotation and management
Data Residency
- Primary data in Sydney (ap-southeast-2)
- Supabase managed Postgres in AU
- Australian Privacy Act jurisdiction
- Listed sub-processors documented
Access Control
- Row Level Security on all tables
- Practice-scoped data isolation
- Cookie-based auth sessions
- Role-based access control (RBAC)
Infrastructure
- Vercel edge network with global CDN
- Supabase managed Postgres with HA
- Automated daily backups with PITR
- DDoS protection and WAF
Incident Response
- 24-hour incident response SLA
- NDB assessment process documented
- Founder-led response with vendor escalation
- Post-incident review and disclosure
Business Continuity
- Multi-region edge deployment
- Managed infrastructure failover
- Point-in-time recovery (PITR)
- Regular disaster recovery testing
Data handling
Your governance data stays under your control. We store only what is needed and give you full export and deletion capabilities.
Data residency
Primary governance database and storage run in Sydney, Australia (ap-southeast-2). Listed sub-processors may process operational metadata offshore.
Data portability
Full export of your data in JSON and CSV formats at any time. Your data is yours.
Data retention
Configurable retention policies. Data preserved for 30 days after account cancellation.
No third-party sharing
Your governance data is never shared with third parties beyond essential service providers listed below.
Sub-processors
A transparent list of third-party services that process data on behalf of your practice.
| Provider | Purpose |
|---|---|
 Supabase | Database, authentication, storage |
 Vercel | Hosting, edge, serverless functions |
 Stripe | Payments and billing |
Sentry | Error monitoring, performance telemetry |
PostHog | Product analytics, feature flags |
Resend | Transactional email delivery |
Loops | Lifecycle email and user communications |
 Anthropic | Governance content generation (no patient data sent) |
Documents & reports
Security documentation for your due diligence review. Available documents can be accessed directly; others are available on request.
Available
Data Processing Agreement
Covers data handling, sub-processors, breach notification, and data subject rights.
View documentAvailable
Privacy Policy
How we collect, use, and protect your information under Australian privacy law.
View documentAvailable
Terms of Service
Service terms, acceptable use, liability, and dispute resolution.
View documentQ3 2026
Security Whitepaper
Detailed breakdown of our security architecture, controls, and practices.
Request access
Penetration Test Summary
Third-party penetration testing results and remediation summary.
Request accessRequest access
Security Questionnaire
Pre-filled SIG Lite, CAIQ, and custom security questionnaire responses.
Request accessUptime & SLA
Built on infrastructure trusted by millions of production applications.
99.9%
Uptime SLA
- Vercel edge network with global CDN
- Supabase managed Postgres with HA
- Automated failover and PITR backups
- 24/7 infrastructure monitoring
All systems operational
Real-time status monitoring
View current system status, historical uptime, and subscribe to incident notifications on our status page.
Visit status pageInfrastructure powered by
VercelSupabaseStripeAnthropicResponsible disclosure
Found a vulnerability? We take security reports seriously and respond to every submission. Please disclose responsibly by emailing our security team directly.
security@moirai.healthFrequently asked questions
Common questions from security and compliance teams during vendor review.
Does Moirai store patient data?
Moirai is designed for governance metadata: which AI tools are used, who approved them, what policies exist, and how governance decisions were documented. Product policy prohibits uploading Protected Health Information (PHI).
Where is my data stored?
The primary governance database and storage are in Sydney, Australia (ap-southeast-2) on Supabase managed Postgres. Listed sub-processors may process operational metadata offshore for payments, analytics, email, and error tracking.
Can I export my data?
Yes. You can export your complete governance dataset in JSON and CSV formats at any time from the Settings page. Your data is yours.
How do you handle security incidents?
We maintain a documented incident response process. Under the Notifiable Data Breaches scheme, we assess suspected eligible data breaches within 30 days and notify OAIC and affected individuals as soon as practicable when notification is required.
Do you have a Data Processing Agreement?
Yes. Our DPA covers data handling, sub-processors, breach notification, international transfers, data subject rights, and audit provisions. It's available at moirai.health/legal/dpa.
What certifications do you have?
Moirai itself does not yet hold SOC 2 or ISO 27001 certification. It is built on certified infrastructure and designed to support obligations under the Australian Privacy Act 1988 and OAIC Australian Privacy Principles. Clinical AI governance evidence is mapped against RANZCR Chapter 9, Ahpra AI guidance, TGA medical-device software guidance, ACSQHC AI guidance, and DISR AI adoption materials.
Get the full security pack
Security questionnaire responses, penetration test summary, architecture diagrams. Or schedule a call with our team.