Security & trust

Built to protect what it holds: a patient's record.

Mental-health records are some of the most sensitive data in healthcare. PractaLuma is engineered, audited and contractually committed to keeping it that way.

Trust centreRequest the trust pack
Compliance & controls

The compliance posture you'd expect, in writing.

Documented, customer-verifiable, and reviewed every year.

APP-compliant
Australian Privacy Principles 1–13, mapped control-by-control.
HIPAA compliant
Administrative, physical, and technical safeguards. BAAs available for US clients.
GDPR compliant
EU data-protection rights honoured: access, rectification, erasure and portability, backed by an EU-standard DPA.
Australian residency
All patient data stored in Australia. Never replicated abroad.
How it's built

Eight layers between an attacker and a patient's record.

A control framework that matches the seriousness of the data underneath. Each layer is owned by a named engineer, reviewed quarterly, and tested annually by an external auditor.

01
Identity

Who's at the door.

SSO via Microsoft Entra, Google Workspace, Okta. SCIM provisioning. MFA mandatory for every clinician account. Session tokens are short-lived and bound to the device.

SAML 2.0OIDCSCIM 2.0WebAuthnTOTP
02
Transport

Nothing leaves a device in the clear.

TLS 1.3 everywhere. HSTS preloaded. Perfect-forward-secrecy ciphers only. Certificate transparency monitoring. All public APIs scored A+ on Qualys SSL Labs and reviewed weekly.

TLS 1.3HSTS preloadPFS-onlyCT monitor
03
At rest

Encrypted twice.

AES-256-GCM at the disk layer (managed KMS) and again at the field layer for clinical free-text and PHI. Field-level keys are tenant-bound. Backups carry the same envelope.

AES-256-GCMfield-level encryptiontenant-bound keys
04
Isolation

Your clinic, your row, your row-level lock.

Row-level security enforced at the database layer, with every query scoped to a tenant context attached at authentication.

RLStenant context
05
AI boundary

Zero training on your data. In writing.

Patient data is never used to train a foundation model. Not ours, not a vendor's.

zero-training clausein-region inference
06
Audit

Every read, every write, every export, logged.

Immutable audit log. Per-user, per-record, per-field. Anomalous access, out-of-hours, mass-export, cross-clinic, flagged within minutes.

tamper-evident logSIEM streamUEBA7-year retention
07
Backup

Backed up, and built to stay available.

Point-in-time restore for the last 35 days. Quarterly restore-test drills, with the report shared back to customers. Geo-redundant within Australia, behind a 98% monthly reliability guarantee.

98% reliabilityPITR 35 daysgeo-redundant AU
08
Response

A named human owns every incident.

24/7 on-call security rotation. Incident playbook tested quarterly. Status page with real-time service health and a public post-incident log.

24/7 on-callNDB-readystatus.practaluma.compublic post-mortems
Principles

The three commitments we will never trade for growth.

/01

Your data is your data. You can export the whole record, notes, audio transcripts, attachments, in open formats, any day, with one request.

Portability is a right, not a feature.

/02

No model, not ours, not a partner's, is trained on patient data. Ever. We will exit a vendor relationship before we change that clause.

Zero training. Forever.

/03

A real human signs every release that touches PHI handling. A real human takes the call when something goes wrong. No exceptions, ever.

A named human, in the loop.

Questions we hear weekly

The honest answers.

Is my data secure with PractaLuma?+

Yes. PractaLuma protects your data with end-to-end encryption, secure cloud infrastructure, and strict access controls, following best practices for data protection throughout.

How does PractaLuma ensure compliance with privacy laws?+

PractaLuma is compliant with the Australian Privacy Principles, GDPR and HIPAA, and other relevant privacy regulations. We adhere to strict data protection standards, ensuring all personal data is handled securely and responsibly, and we review our controls regularly.

Does PractaLuma use my data to train AI models?+

PractaLuma does not use your client or practice data to train AI models. Your information remains private and is only used to provide the services you've explicitly requested.

Does PractaLuma comply with HIPAA?+

Yes, PractaLuma is fully HIPAA-compliant. Our platform implements all required technical safeguards, administrative procedures, and physical security measures to protect protected health information (PHI).

Can I control how long my data is retained?+

Yes, PractaLuma gives you complete control over your data retention policies. You can configure custom retention periods in accordance with your regulatory requirements and organisational policies.

Is my data shared with third parties?+

PractaLuma does not share your data with third parties except as required to provide our services or as required by law. Any third-party integrations are clearly disclosed, and you maintain control over which integrations are enabled.

Does PractaLuma offer a Business Associate Agreement (BAA)?+

Yes, PractaLuma offers a standard Business Associate Agreement (BAA) for healthcare organisations that require one for HIPAA compliance. Contact our compliance team to request and review our BAA.

For your operations team

The full trust centre, in one packet.

The data-flow diagram, the sub-processor list, the standard DPA, and the AI addenda. NDA-gated, delivered within the hour.

Request the packetBook a demo