aurii
Security

Hospital-grade by default. Not a feature flag.

Aurii is built to host clinical data for Australian private-hospital specialists. The posture below is the default for every tenant, Solo and Hospital alike.

CH 01 · DATA
AU
Resident in Australia East
Backups in Australia Southeast (Melbourne).
CH 02 · KEYS
CMK
Per-class keys
Customer-managed keys via Azure Key Vault. Rotatable.
CH 03 · AUDIT
7 yr
Append-only
Hash-chained note versions. Tampering detectable.
CH 04 · REG
IIa
TGA pathway
In flight for aurii.ai modules. Validation cohort active.
Posture 01 / 06 Data residency

Australia, in both copies.

  • 01 Production data lives in Microsoft Azure Australia East (Sydney).
  • 02 Backups land in Australia Southeast (Melbourne).
  • 03 No transit through US or EU regions for clinical data.
  • 04 Sub-processors that touch clinical data are configured for AU or AU/EU routing.
Posture 02 / 06 Encryption

Customer-managed keys per data class.

  • 01 Three CMKs in Azure Key Vault: clinical, audio, audit.
  • 02 Each data class encrypts under its own key, rotatable independently.
  • 03 Encryption in transit on every network hop, including internal service-to-service.
  • 04 TLS 1.2+ enforced. HSTS preload on web surfaces.
Posture 03 / 06 Identity + access

Email plus TOTP. WebAuthn for biometric.

  • 01 Email and password plus TOTP MFA mandatory for every clinical user.
  • 02 WebAuthn biometric enrolment on supported devices for low-friction resume.
  • 03 Cross-tenant access is blocked at the database row level and is auditable.
  • 04 Application role lacks UPDATE / DELETE on the audit and TGA-audit tables.
Posture 04 / 06 Audit + record integrity

Append-only. Hash-chained. Seven-year retention.

  • 01 Every clinical write produces an audit log entry. Append-only at the database level.
  • 02 Note versions are hash-chained. Tampering between versions is detectable.
  • 03 Retention 7 years, the conservative reading of AHPRA and state record-keeping standards.
  • 04 Audit data is exportable on tenant request, encrypted in transit.
Posture 05 / 06 Regulatory posture

TGA Class IIa pathway. APP compliance. OAIC NDB.

  • 01 TGA Class IIa registration in flight for aurii.ai modules. Module 16 runs only on the validation cohort until registration is live.
  • 02 Australian Privacy Principles compliance. OAIC notifiable-breach reporting within 30 days.
  • 03 Quality management system scaffolded under ISO 14971 (risk) and IEC 62304 (software lifecycle).
  • 04 Records cooperate with TGA, AHPRA, and OAIC lawful access. Affected tenants notified where lawful.
Posture 06 / 06 Operational security

Lock the deploy path. Lock the on-call path.

  • 01 GitHub Actions deploy via Azure workload-identity-federation. No long-lived secrets.
  • 02 Bicep IaC under what-if review. Production changes are reviewed before they ship.
  • 03 On-call access uses just-in-time elevation with audit trail.
  • 04 Penetration test scheduled before pilot launch. Annual cadence after.
Sub-processors

The third parties that touch tenant data.

Each sub-processor operates under a written agreement with a defined data scope. The aurii.ai is the platform brand for clinical decision-support inference; the underlying provider sits in this list.

Sub-processor Purpose Data scope Region
Microsoft Azure Application + database + storage hosting All clinical, account, audio, audit data Australia East (Sydney), Australia Southeast (Melbourne) for backups
AssemblyAI Voice transcription (dictation + ambient capture) Audio + transcript text AU / EU routing
Anthropic Clinical decision-support inference (aurii.ai) De-identified note context + structured prompts AU / EU routing
Stripe Subscription billing (Solo Checkout, Hospital Invoice) Customer + billing metadata. No clinical data. AU entity
SendGrid Transactional email (sign-in, billing, notifications) Email address + message content Region-controlled mail relay

IT review documents available on request

Hospital reviewers receive the full security questionnaire, network diagram, and DPA on request to security@aurii.com.au. We turn around inside one business day.

Bring this to your IT review.

Detailed security questionnaire, network diagram, and DPA available on request.

Email security All channels