← Back to Tele360

Security

How we protect your healthcare data

Encryption

  • In transit: All connections use TLS 1.2 or higher. HTTPS is enforced on every endpoint.
  • At rest: Database encryption using AES-256 via Supabase (PostgreSQL). Backups are encrypted.
  • Payments: Card data is processed by Stripe (PCI-DSS Level 1 certified). We never store, process, or have access to full card numbers.

Access control

  • Multi-tenant isolation: Every data record includes a clinic identifier. Row-Level Security (RLS) policies on all database tables ensure each clinic can only access their own data.
  • Role-based access: Six practitioner roles (owner, admin, practitioner, nurse, reception, allied health) with granular permissions controlling what each role can view and modify.
  • Authentication: Supabase Auth with secure session management and automatic token refresh. Patient portal uses separate JWT-based authentication.
  • Session management: Sessions expire automatically. Protected routes require active authentication verified on every request.

Audit logging

  • Immutable audit trail: All critical operations are logged, including invoice creation, payment recording, clinical note finalisation, prescription creation, pathology orders, and result reviews.
  • Append-only: Audit records cannot be modified or deleted.
  • Clinical safety: Prescription void pattern — prescriptions are never deleted, only voided with a reason and a link to the corrected prescription. Abnormal pathology results require an action before filing.

Infrastructure

  • Database: Supabase (PostgreSQL) hosted in the Asia-Pacific region with automated backups, point-in-time recovery, and connection pooling.
  • Application: Vercel serverless platform with automatic scaling, global CDN, and DDoS protection.
  • No data on local devices: Tele360 is a cloud-based application. No patient data is stored on practitioner devices — all data resides in the secured database.

Compliance

  • Privacy Act 1988: Full compliance with Australian Privacy Principles (APPs), including health information protections.
  • Essential Eight: Alignment with the Australian Cyber Security Centre (ACSC) Essential Eight mitigation strategies.
  • ADHA standards: Healthcare identifier support (IHI, HPI-I, HPI-O), SPIA-compliant pathology results, HL7v2 messaging, SNOMED CT-AU, AMT, LOINC, and MBS/PBS reference data.
  • TGA boundary: AI features are classified as documentation aids only, not clinical decision support. This classification is enforced in all AI system prompts.
  • Australian English: All system text uses Australian English spelling and terminology.

Incident response

  • Notification: In the event of a data breach involving personal information, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act.
  • Response time: We aim to assess and contain any suspected breach within 24 hours of detection and complete our investigation within 30 days.

Responsible disclosure

If you discover a security vulnerability in Tele360, please report it responsibly to security@tele360.com.au. We take all reports seriously and will respond within 48 hours.