AiHealth
Security

Security overview

AiHealth is built to protect sensitive health and clinical data. Here's how we approach security at every layer.

This page describes our current and planned security posture. AiHealth is pre-launch — specific certifications and formal security reviews will be completed prior to processing live client data. Updated as we progress.

Encryption

  • All data encrypted in transit using TLS 1.2+
  • Data encrypted at rest using AES-256
  • Database credentials stored in environment secrets, never in code
  • JWT tokens signed with RS256

Access control

  • Role-based access control (RBAC) — owner, admin, member, viewer
  • Multi-tenancy: organisations are fully isolated at the database level
  • Audit log on all sensitive operations (data access, user changes, module toggling)
  • Session expiry and revocation
  • Optional Google Workspace SSO with domain restriction

Infrastructure

  • Hosted on Australian infrastructure (Vercel + Neon Postgres, AWS ap-southeast-2 region)
  • Database backups every 24 hours, point-in-time recovery
  • Uptime monitoring and incident alerting
  • Dependency vulnerability scanning via automated tooling

Compliance

  • Australian Privacy Act 1988 aligned
  • Australian Privacy Principles (APPs) compliant data handling
  • Data Processing Agreement available on request for organisations requiring it
  • We do not sell or share your data with third parties for commercial purposes

Report a vulnerability

If you discover a security issue, please contact us directly before public disclosure.

security@aihealth.net.au