Security
AuditPlatform handles sensitive participant and staff records on behalf of NDIS providers. This page describes our current security practices honestly — including what we do well and where the responsibilities lie with our subprocessors.
Questions? Email hello@auditplatform.app
In transit: All connections to AuditPlatform are encrypted using TLS. HTTPS is enforced on all endpoints — plain HTTP connections are automatically redirected.
At rest: Data stored in our database is encrypted at rest by Neon, our database provider. Encryption is managed at the infrastructure level and is not dependent on application-layer configuration.
Authentication is handled by Clerk, a dedicated identity provider. We do not store passwords. Clerk manages credential hashing, session tokens, device tracking, and brute-force protection.
Multi-factor authentication (MFA): Supported for all accounts via authenticator app or SMS. We encourage coordinators and administrators to enable MFA.
Role-based access:AuditPlatform enforces role separation between support staff, coordinators, and administrators. Staff can only access their own assigned shifts and submit notes — they cannot view other participants' records or organisation-wide data.
Organisation isolation:All database queries are scoped to an organisation ID. It is not possible for one organisation's users to access another organisation's data through the application.
Every change to participant records, staff records, rosters, incidents, and shift notes is written to an immutable audit log. Each entry captures:
Audit log entries cannot be modified or deleted through the application interface. This log is the primary evidence source for NDIS auditors.
SQL injection: All database queries are executed via Drizzle ORM with parameterised queries. Raw SQL execution from user input is not used.
CSRF protection: Session validation is managed by Clerk on all authenticated API routes. Unauthenticated routes (such as the public concern report form) validate participant identity by NDIS number before processing submissions.
Rate limiting:Authentication endpoints are rate-limited by Clerk. API routes operate within Vercel's infrastructure-level protections.
Dependencies: We keep third-party dependencies up to date and monitor for known vulnerabilities.
We use the following third-party services to operate the platform. Each operates under its own security programme and data processing agreements.
| Provider | Purpose | Security info |
|---|---|---|
| Neon | PostgreSQL database hosting | neon.tech/security |
| Vercel | Application hosting and CDN | vercel.com/security |
| Clerk | User authentication and session management | clerk.com/security |
| Anthropic | AI shift note drafting | anthropic.com/security |
| Stripe | Payment processing and billing | stripe.com/security |
Data processed by Anthropic for AI shift note drafting is not used to train AI models and is subject to Anthropic's API data processing agreement.
Organisation data is retained for the duration of your active subscription. NDIS providers are generally required to keep participant and service records for seven years under the NDIS Practice Standards — your export includes everything needed to meet this obligation independently of your AuditPlatform subscription.
On account cancellation, data is retained for 30 days to allow export. After that period, data is scheduled for deletion unless retention is required by law.
You can export your complete data at any time from the dashboard — participants, staff, rosters, shift notes, incidents, and audit logs — in CSV and PDF formats.
If you discover a security vulnerability in AuditPlatform, please report it to us privately before any public disclosure. We ask for reasonable time to investigate and remediate before the issue is made public.
Email: security@auditplatform.app
We will acknowledge receipt within two business days and keep you informed of our progress. We do not pursue legal action against researchers who act in good faith.
AuditPlatform is not ISO 27001 certified, SOC 2 attested, or independently audited at this time. We are a growing product and intend to pursue formal certification as we scale.
We do not make specific guarantees about data residency in any particular country or region. Infrastructure locations are determined by our subprocessors and may change. If data residency is a hard requirement for your organisation, please contact us before signing up.
No internet-based system is completely secure. While we take reasonable steps to protect your data, you are responsible for maintaining appropriate access controls within your organisation — including offboarding departing staff promptly.