Security & compliance

Security engineered for clinical work

Occupational health data is sensitive, regulated and audited. ClinicMira is built accordingly — Australian data residency, encryption, enterprise identity and an audit trail on everything. Send this page to your security team.

01 Platform foundations

Secure by architecture

Security is not an afterthought. It is how the platform is hosted, deployed, monitored and recovered.

Australian data residency

ClinicMira runs on Microsoft Azure in Australia. Clinical and candidate data stays onshore — no offshore replication of your records.

Encryption everywhere

Data is encrypted in transit and at rest across the platform — application traffic, databases, document storage and backups.

Azure Key Vault

Secrets, keys and credentials are managed in Azure Key Vault — never in code, config files or developer machines.

Penetration testing program

An ongoing external penetration testing program probes the platform the way an attacker would. Findings are triaged and remediated on a defined cadence.

Rate limiting & abuse safeguards

API and authentication endpoints are rate-limited, with abuse safeguards on candidate sessions, OTP issuance and public-facing surfaces.

Observability

Monitoring and alerting across the stack — New Relic, Prometheus and Grafana — so anomalies are seen and acted on, not discovered later.

Blue-green deploys

Releases ship to a parallel environment and cut over only when healthy — changes land without taking clinics offline mid-shift.

Backup & recovery

Automated backups with tested recovery procedures underpin our 99.9% uptime record. Migrated historical records live in a dedicated legacy archive.

02 Identity, access & audit

The right people, the right records, on the record

Enterprise SSO

Microsoft Entra ID single sign-on with automatic user provisioning — access follows your directory, and offboarding is immediate.

  • Microsoft Entra ID SSO with auto-provisioning
  • Role-templated, fine-grained permissions
  • Multi-business users on one identity

Fine-grained RBAC

Role templates define exactly what each user can see and do — per tenant, per business, down to individual documents.

  • Document-level access permissions
  • Internal-only flags on sensitive records
  • Per-role visibility across every portal

OTP candidate sessions

Workers complete forms and view their bookings through one-time-passcode sessions — no accounts, no passwords to leak.

  • No stored candidate credentials
  • Time-boxed, single-purpose sessions
  • Scoped to the candidate's own record

Immutable audit trails

Every clinical entity carries an immutable audit trail — bookings, candidates, businesses, documents, forms, tenants, users, billing and notifications.

  • 100% audit-trail coverage on clinical entities
  • Who, what and when on every change
  • Full notification and billing audit logs

03 Responsible AI

AI with guardrails, not guesswork

Our voice and chat agents answer phones and book appointments 24/7 — inside a governance framework your compliance team can actually read.

Never gives medical advice

Voice and chat agents book, remind and answer operational questions. Anything clinical is routed to a human — by design, not by hope.

Kill switches

Every AI agent can be halted instantly — per tenant, per channel. Recording consent and retention controls are configurable to your policy.

Scoped tool registry

Agents can only touch the tools policy allows. Booking and status enquiries are gated by caller identity verification, with prompt-injection safeguards on every input.

Accountable by the minute

A usage ledger records billable minutes and cost, and call analytics track volume, outcomes and transfers — rate limits and quiet hours enforced per tenant.

04 Compliance

Built for the Australian regulatory landscape

We describe our posture precisely: aligned means aligned. No borrowed badges, no certifications we don't hold.

Privacy Act 1988

Data handling aligned with the Australian Privacy Principles — collection, use, disclosure and access.

ISO 27001-aligned

Security practices aligned with ISO 27001 — access management, change control, incident response and supplier review.

Data residency: Australia

Hosted on Microsoft Azure in Australia. Your data does not leave the country.

Audit-ready records

Immutable trails on all clinical entities give regulators and enterprise clients the evidence they ask for.

99.9%

Uptime

100%

Audit-trail coverage

Australia

Data residency

Zero

Deploy downtime

Vulnerability disclosure

Found a security issue? Tell us at hello@clinicmira.com — we take reports seriously and respond quickly.

View system status

See it running on your workflows

A working demo built around your services, your clients and a live AI agent on a real phone number — with a security pack ready for procurement.

Australian-based implementation team · Migration included · Enterprise SSO & audit trails

Security & Compliance | ClinicMira