Trust
Privacy, security and Australian compliance
Refera handles health information for medical practices, so the standard is simple: every promise on this page maps to an enforced control, and every legal claim maps to an Australian statute. The full compliance guide accompanies the onboarding pack.
- Real-data build designed for Australian residency
- Draft-first - nothing sent without human approval
- Synthetic demo - no real patient data
Six promises
Enforced by design, not asserted in prose
Each promise below is a property of how Refera is built - a practice can hold us to all six in the data processing agreement.
Australian data residency
Production is designed to run in AWS Sydney, pinned by organisation-level policy - not by a policy document. Before real data, AU-only Bedrock routing is verified in CloudTrail so the practice can see where each model call ran.
No clinical triage
Refera is administrative process-state software. Urgency is only ever the referrer's own words, quoted and attributed; attachments are noted, never interpreted. The extraction schema has no field a clinical judgement could occupy.
Draft-first, always
Nothing leaves Refera without a named staff member approving it. That approval step is also the error firewall: an extraction mistake cannot reach a GP or a record, because a person reviews every draft first.
Never contacts patients
No patient-facing surface, no patient messaging, no patient account exists in the product. Every outbound artefact is a practice-approved draft to a referrer or the practice's own team.
Export freedom
On exit the practice takes everything - original documents, extracted records, the referrer book and the sealed history - machine-readable and free of charge. Then Refera's copy is cryptographically erased by destroying the practice's own encryption key.
Sealed audit trail
Every event is hash-chained with SHA-256 the moment it is recorded and anchored daily to write-once storage no one - including Refera - can rewrite. The practice can verify its own history without trusting us, and keeps that ability after leaving.
Privacy Act 1988
The Australian Privacy Principles, mapped to controls
Health information is "sensitive information" under the Privacy Act 1988 (Cth) - the strictest category. Refera handles it solely as the practice's contracted service provider, and commits to full APP coverage from day one. One line per principle; the full compliance guide expands each row.
| Principle | Refera's control |
|---|---|
| APP 1 - open and transparent management | Published privacy policy, a privacy impact assessment before launch naming every processor, and a nominated privacy contact. |
| APP 2 - anonymity and pseudonymity | Patients deal with their practice, never with Refera; inside Refera, identifiers are tokenised so working systems see tokens, not names. |
| APP 3 - collection | Only what arrives in the referral the practice already receives, only on the practice's instruction - no enrichment, no other sources. |
| APP 4 - unsolicited information | Misdirected documents are quarantined, excluded from extraction and destroyed on schedule. |
| APP 5 - notification | The practice's collection notice names Refera; template wording ships in the onboarding pack. |
| APP 6 - use and disclosure | One purpose only: the contracted service. No secondary use, no sale, no training AI on patient data, ever. |
| APP 7 - direct marketing | None. Patient information is never used for marketing and Refera never contacts patients. |
| APP 8 - cross-border disclosure | The real-data build is designed for Australian processing only, enforced by AWS policy and verified in CloudTrail before any patient data flows. The current public demo uses synthetic data only. |
| APP 9 - government identifiers | Medicare and provider numbers are data on the referral, never Refera's own identifiers. |
| APP 10 - quality | Extracted fields are always shown beside the original document; low confidence goes to a person, and the original is the record. |
| APP 11 - security | Per-practice encryption keys, row-level tenant isolation, a tokenised identifier vault, no patient data in logs, and detection on before real data. |
| APP 11.2 - destruction | Offboarding destroys the practice's own encryption key - provable cryptographic erasure, not a best-effort delete. |
| APP 12 - access | Access requests go to the practice, and Refera makes it fast: full export, free and machine-readable, at any time. |
| APP 13 - correction | Corrections are sealed as new events with the original preserved - history is appended, never quietly rewritten. |
Beyond the APPs
State law, My Health Record and breaches
Three questions practices ask early, answered in a sentence each - and in full in the compliance guide.
State health-records law
Victoria (Health Records Act 2001), NSW (Health Records and Information Privacy Act 2002) and the ACT (Health Records (Privacy and Access) Act 1997) add their own health privacy principles. Refera runs one national posture at the strictest applicable setting, so the tightest rule wins everywhere.
My Health Record
Refera does not connect to, read from or write to the My Health Record system, holds no My Health Record data, and has no registered role under the My Health Records Act 2012. The front door is the practice's own - a national repository is not part of it.
If a breach ever happens
A written plan under the Notifiable Data Breaches scheme: contain immediately, assess and tell affected practices within 72 hours (our own clock - tighter than the law's 30-day assessment ceiling), then notify the OAIC and individuals as the Privacy Act requires, on a path pre-agreed with each practice.
Sub-processors
The complete list - deliberately short
Every practice signs a data processing agreement - the Australian instrument; a "BAA" is a US concept that does not exist here. The agreement lists these sub-processors, with advance notice of any change and a right to object.
| Sub-processor | Location and scope | What it sees |
|---|---|---|
| Amazon Web Services | Designed for Sydney (ap-southeast-2), region-pinned by policy before real data | All platform infrastructure - compute, database, storage, keys, logs. |
| Amazon Bedrock (within AWS) | Sydney endpoint, au.* Australia-geography inference profiles | Raw referral text during extraction only - not retained, not used for training. Offshore profiles denied by policy. |
| Cloudflare | Global edge network | The static app shell and this website only. No patient data transits or rests on Cloudflare. |
Updates and rollback
Kept current without turning the practice into the test site
Refera is cloud-managed, so most updates happen centrally. The standard is not "move fast"; the standard is a verified release that preserves the no-triage boundary, the data wall and the practice's working day.
Security fixes first
Validated security fixes are patched the same day where possible. Interface polish is batched weekly so practices are not hit by constant churn.
Every release is gated
Before deploy, Refera runs the product test suite, desktop and mobile verification, and the full 13-beat live-demo path locally. After deploy, the same demo path runs against the live app.
Rollback is built in
Cloudflare Pages keeps immutable deployments. If a post-deploy check fails, the affected surface can be rolled back to the previous green deployment while the fix-forward commit is prepared.
Security roadmap
Built to a published bar
Security at Refera is engineering, not badges: a public roadmap of controls, each one landing before the data that needs it.