Security

How we protect your data

AuditPlatform handles sensitive participant and staff records on behalf of NDIS providers. This page describes our current security practices honestly — including what we do well and where the responsibilities lie with our subprocessors.

Questions? Email hello@auditplatform.app

Encryption

In transit: All connections to AuditPlatform are encrypted using TLS. HTTPS is enforced on all endpoints — plain HTTP connections are automatically redirected.

At rest: Data stored in our database is encrypted at rest by Neon, our database provider. Encryption is managed at the infrastructure level and is not dependent on application-layer configuration.

Authentication & access control

Authentication is handled by Clerk, a dedicated identity provider. We do not store passwords. Clerk manages credential hashing, session tokens, device tracking, and brute-force protection.

Multi-factor authentication (MFA): Supported for all accounts via authenticator app or SMS. We encourage coordinators and administrators to enable MFA.

Role-based access:AuditPlatform enforces role separation between support staff, coordinators, and administrators. Staff can only access their own assigned shifts and submit notes — they cannot view other participants' records or organisation-wide data.

Organisation isolation:All database queries are scoped to an organisation ID. It is not possible for one organisation's users to access another organisation's data through the application.

Audit logging

Every change to participant records, staff records, rosters, incidents, and shift notes is written to an immutable audit log. Each entry captures:

  • The user who made the change (Clerk user ID)
  • A precise timestamp
  • The action type (create, update, delete)
  • The before and after values of changed fields

Audit log entries cannot be modified or deleted through the application interface. This log is the primary evidence source for NDIS auditors.

Application security

SQL injection: All database queries are executed via Drizzle ORM with parameterised queries. Raw SQL execution from user input is not used.

CSRF protection: Session validation is managed by Clerk on all authenticated API routes. Unauthenticated routes (such as the public concern report form) validate participant identity by NDIS number before processing submissions.

Rate limiting:Authentication endpoints are rate-limited by Clerk. API routes operate within Vercel's infrastructure-level protections.

Dependencies: We keep third-party dependencies up to date and monitor for known vulnerabilities.

Subprocessors

We use the following third-party services to operate the platform. Each operates under its own security programme and data processing agreements.

ProviderPurposeSecurity info
NeonPostgreSQL database hostingneon.tech/security
VercelApplication hosting and CDNvercel.com/security
ClerkUser authentication and session managementclerk.com/security
AnthropicAI shift note draftinganthropic.com/security
StripePayment processing and billingstripe.com/security

Data processed by Anthropic for AI shift note drafting is not used to train AI models and is subject to Anthropic's API data processing agreement.

Data retention & deletion

Organisation data is retained for the duration of your active subscription. NDIS providers are generally required to keep participant and service records for seven years under the NDIS Practice Standards — your export includes everything needed to meet this obligation independently of your AuditPlatform subscription.

On account cancellation, data is retained for 30 days to allow export. After that period, data is scheduled for deletion unless retention is required by law.

You can export your complete data at any time from the dashboard — participants, staff, rosters, shift notes, incidents, and audit logs — in CSV and PDF formats.

Responsible disclosure

If you discover a security vulnerability in AuditPlatform, please report it to us privately before any public disclosure. We ask for reasonable time to investigate and remediate before the issue is made public.

Email: security@auditplatform.app

We will acknowledge receipt within two business days and keep you informed of our progress. We do not pursue legal action against researchers who act in good faith.

What we don't claim

AuditPlatform is not ISO 27001 certified, SOC 2 attested, or independently audited at this time. We are a growing product and intend to pursue formal certification as we scale.

We do not make specific guarantees about data residency in any particular country or region. Infrastructure locations are determined by our subprocessors and may change. If data residency is a hard requirement for your organisation, please contact us before signing up.

No internet-based system is completely secure. While we take reasonable steps to protect your data, you are responsible for maintaining appropriate access controls within your organisation — including offboarding departing staff promptly.