Trust

Privacy, security and Australian compliance

Refera handles health information for medical practices, so the standard is simple: every promise on this page maps to an enforced control, and every legal claim maps to an Australian statute. The full compliance guide accompanies the onboarding pack.

  • Real-data build designed for Australian residency
  • Draft-first - nothing sent without human approval
  • Synthetic demo - no real patient data

Six promises

Enforced by design, not asserted in prose

Each promise below is a property of how Refera is built - a practice can hold us to all six in the data processing agreement.

Australian data residency

Production is designed to run in AWS Sydney, pinned by organisation-level policy - not by a policy document. Before real data, AU-only Bedrock routing is verified in CloudTrail so the practice can see where each model call ran.

No clinical triage

Refera is administrative process-state software. Urgency is only ever the referrer's own words, quoted and attributed; attachments are noted, never interpreted. The extraction schema has no field a clinical judgement could occupy.

Draft-first, always

Nothing leaves Refera without a named staff member approving it. That approval step is also the error firewall: an extraction mistake cannot reach a GP or a record, because a person reviews every draft first.

Never contacts patients

No patient-facing surface, no patient messaging, no patient account exists in the product. Every outbound artefact is a practice-approved draft to a referrer or the practice's own team.

Export freedom

On exit the practice takes everything - original documents, extracted records, the referrer book and the sealed history - machine-readable and free of charge. Then Refera's copy is cryptographically erased by destroying the practice's own encryption key.

Sealed audit trail

Every event is hash-chained with SHA-256 the moment it is recorded and anchored daily to write-once storage no one - including Refera - can rewrite. The practice can verify its own history without trusting us, and keeps that ability after leaving.

The audit trail is the practice's evidence, not just ours. If a referral is ever questioned - by a referrer, a regulator, an insurer - the practice holds dated, tamper-evident proof of what arrived and what was done, verifiable by any competent third party.

Privacy Act 1988

The Australian Privacy Principles, mapped to controls

Health information is "sensitive information" under the Privacy Act 1988 (Cth) - the strictest category. Refera handles it solely as the practice's contracted service provider, and commits to full APP coverage from day one. One line per principle; the full compliance guide expands each row.

PrincipleRefera's control
APP 1 - open and transparent managementPublished privacy policy, a privacy impact assessment before launch naming every processor, and a nominated privacy contact.
APP 2 - anonymity and pseudonymityPatients deal with their practice, never with Refera; inside Refera, identifiers are tokenised so working systems see tokens, not names.
APP 3 - collectionOnly what arrives in the referral the practice already receives, only on the practice's instruction - no enrichment, no other sources.
APP 4 - unsolicited informationMisdirected documents are quarantined, excluded from extraction and destroyed on schedule.
APP 5 - notificationThe practice's collection notice names Refera; template wording ships in the onboarding pack.
APP 6 - use and disclosureOne purpose only: the contracted service. No secondary use, no sale, no training AI on patient data, ever.
APP 7 - direct marketingNone. Patient information is never used for marketing and Refera never contacts patients.
APP 8 - cross-border disclosureThe real-data build is designed for Australian processing only, enforced by AWS policy and verified in CloudTrail before any patient data flows. The current public demo uses synthetic data only.
APP 9 - government identifiersMedicare and provider numbers are data on the referral, never Refera's own identifiers.
APP 10 - qualityExtracted fields are always shown beside the original document; low confidence goes to a person, and the original is the record.
APP 11 - securityPer-practice encryption keys, row-level tenant isolation, a tokenised identifier vault, no patient data in logs, and detection on before real data.
APP 11.2 - destructionOffboarding destroys the practice's own encryption key - provable cryptographic erasure, not a best-effort delete.
APP 12 - accessAccess requests go to the practice, and Refera makes it fast: full export, free and machine-readable, at any time.
APP 13 - correctionCorrections are sealed as new events with the original preserved - history is appended, never quietly rewritten.

Beyond the APPs

State law, My Health Record and breaches

Three questions practices ask early, answered in a sentence each - and in full in the compliance guide.

State health-records law

Victoria (Health Records Act 2001), NSW (Health Records and Information Privacy Act 2002) and the ACT (Health Records (Privacy and Access) Act 1997) add their own health privacy principles. Refera runs one national posture at the strictest applicable setting, so the tightest rule wins everywhere.

My Health Record

Refera does not connect to, read from or write to the My Health Record system, holds no My Health Record data, and has no registered role under the My Health Records Act 2012. The front door is the practice's own - a national repository is not part of it.

If a breach ever happens

A written plan under the Notifiable Data Breaches scheme: contain immediately, assess and tell affected practices within 72 hours (our own clock - tighter than the law's 30-day assessment ceiling), then notify the OAIC and individuals as the Privacy Act requires, on a path pre-agreed with each practice.

Sub-processors

The complete list - deliberately short

Every practice signs a data processing agreement - the Australian instrument; a "BAA" is a US concept that does not exist here. The agreement lists these sub-processors, with advance notice of any change and a right to object.

Sub-processorLocation and scopeWhat it sees
Amazon Web ServicesDesigned for Sydney (ap-southeast-2), region-pinned by policy before real dataAll platform infrastructure - compute, database, storage, keys, logs.
Amazon Bedrock (within AWS)Sydney endpoint, au.* Australia-geography inference profilesRaw referral text during extraction only - not retained, not used for training. Offshore profiles denied by policy.
CloudflareGlobal edge networkThe static app shell and this website only. No patient data transits or rests on Cloudflare.
No others. No offshore support tooling with data access, no third-party analytics on patient data, no data brokers. The practice's own mailbox and fax-to-email providers are contracted by the practice, not by Refera.

Updates and rollback

Kept current without turning the practice into the test site

Refera is cloud-managed, so most updates happen centrally. The standard is not "move fast"; the standard is a verified release that preserves the no-triage boundary, the data wall and the practice's working day.

Security fixes first

Validated security fixes are patched the same day where possible. Interface polish is batched weekly so practices are not hit by constant churn.

Every release is gated

Before deploy, Refera runs the product test suite, desktop and mobile verification, and the full 13-beat live-demo path locally. After deploy, the same demo path runs against the live app.

Rollback is built in

Cloudflare Pages keeps immutable deployments. If a post-deploy check fails, the affected surface can be rolled back to the previous green deployment while the fix-forward commit is prepared.

One update path, fully gated. The web app and installed PWA are the supported update path today, and every release reaches them through the same gate. The iOS and Android wrapper joins the store once its over-the-air update channel is wired into that gate.

Security roadmap

Built to a published bar

Security at Refera is engineering, not badges: a public roadmap of controls, each one landing before the data that needs it.

Today - the demo runs on synthetic data. The public demo runs on synthetic referrals while the production controls are built and verified. Real patient data flows only after every launch gate below holds.
At launch - the gates. Essential Eight alignment engineered to the published bar, an independent penetration test, a privacy impact assessment, executed data processing agreements, insurance, and TGA-experienced counsel signing off the intended-purpose statement.
At growth - ISO 27001. Certification of the management system joins the roadmap as the team and customer base grow.
Government and hospital work - IRAP. Assessed when a contract calls for it.
Certificates link to certificates. When a rung on this roadmap is independently certified, this page links to the certificate itself - every claim here stays verifiable, never decorative.