Data Privacy & Security

HIPAA Compliant

Health Insurance Portability and Accountability Act

Mindspan is built to satisfy the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule — the gold standard for protecting electronic Protected Health Information (ePHI) in clinical settings.

Administrative Safeguards

Role-based access control (RBAC) restricts data access to authorised clinicians and the client themselves
Audit logging records every access and modification to health records with timestamps and actor identity
Workforce training policies are embedded — clinicians see only the clients assigned to them
Business Associate Agreements (BAAs) are in place with all infrastructure providers (Supabase, Vercel, Google Cloud)

Technical Safeguards

AES-256 encryption at rest for all database records (managed by Supabase / AWS RDS)
TLS 1.3 encryption in transit for every API call between client, server, and database
Unique user authentication via Supabase Auth with bcrypt-hashed passwords and optional MFA
Automatic session expiry and token rotation to prevent unauthorised access
Row-Level Security (RLS) policies enforce data isolation at the database layer — even a compromised API cannot access another client's records

Physical Safeguards

Infrastructure hosted on SOC 2 and ISO 27001 certified data centres (AWS Sydney ap-southeast-2)
No client data is stored on local devices — the platform is entirely cloud-based
Database backups encrypted and retained per healthcare retention requirements

HIPAA Security Rule (HHS.gov)HIPAA Privacy Rule (HHS.gov)

AES-256 Encryption

Military-grade encryption at rest and in transit

Every piece of data — assessment responses, clinical notes, personal details — is encrypted using AES-256, the same standard used by governments and financial institutions worldwide.

Encryption at Rest

All database volumes use AES-256 encryption managed by AWS Key Management Service (KMS)
Encryption keys are rotated automatically and never stored alongside the data they protect
Database backups are encrypted with the same AES-256 standard
File uploads and attachments are encrypted before storage in secure object storage

Encryption in Transit

All connections use TLS 1.3 — the latest Transport Layer Security protocol
HTTP Strict Transport Security (HSTS) headers prevent downgrade attacks
API endpoints enforce HTTPS-only — plaintext HTTP requests are rejected
Certificate pinning and automatic renewal via Let's Encrypt / Vercel Edge Network

Key Management

Encryption keys managed by AWS KMS with hardware security module (HSM) backing
Service role keys are environment-scoped and never committed to source control
Secrets are injected via Vercel Environment Variables with production/preview isolation

AES-256 Standard (NIST FIPS 197)TLS 1.3 Specification (IETF RFC 8446)

Australian Privacy Act

Privacy Act 1988 & Australian Privacy Principles (APPs)

Mindspan complies with the Australian Privacy Act 1988 and the 13 Australian Privacy Principles, ensuring lawful collection, use, disclosure, and storage of personal and health information for Australian users.

Collection & Consent (APPs 3–5)

Personal information is collected only with informed consent — users see a clear consent gate before any data is stored
Collection is limited to what is reasonably necessary for clinical care and platform functionality
Users are informed at collection about what data is gathered, why, and who can access it
Sensitive health information receives additional protections per APP 3.3

Use & Disclosure (APPs 6–9)

Health data is used only for the primary purpose it was collected — clinical assessment and therapeutic support
Data is never sold, shared with advertisers, or used for marketing
Cross-border disclosure: infrastructure is hosted in AWS Sydney (ap-southeast-2), keeping data in Australian jurisdiction
Third-party AI processing (Google Gemini) receives only de-identified data — see PHI Scrubbing below

Data Quality & Security (APPs 10–11)

Users can view and correct their personal information at any time via account settings
Technical and organisational security measures protect against unauthorised access, loss, and misuse
Data retention follows healthcare regulations (minimum 7 years for clinical records)

Access & Correction (APPs 12–13)

Clients can request a full export of their data at any time
Clients can request correction of inaccurate personal information
Account deletion requests are honoured within 30 days, subject to clinical record retention requirements

Australian Privacy Act 1988 (OAIC)Australian Privacy Principles (OAIC)Health Records and Privacy (OAIC)

PHI Scrubbed Before AI

De-identification before any third-party processing

Before assessment data is sent to AI services for interpretation, all Protected Health Information (PHI) is programmatically removed. The AI never sees names, dates of birth, emails, phone numbers, or any other identifying information.

What Gets Scrubbed

Full name, email address, phone number, date of birth
Emergency contact details and addresses
Any free-text fields are scanned for patterns matching Australian phone numbers, email addresses, Medicare numbers, and dates in personal context
User IDs are replaced with anonymous session tokens that cannot be reversed

How It Works

A dedicated PHI scrubbing module runs server-side before any data leaves the platform
The scrubber uses pattern matching (regex) for structured fields and named entity recognition heuristics for free-text
A validation step confirms the scrub was successful — if any PHI pattern is detected post-scrub, the request is blocked
A de-identification certificate is generated for each AI request, logged for audit purposes

AI Provider Safeguards

AI interpretation uses Google Gemini 2.0 Flash via server-side API — no client-side AI calls
Mindspan's data is not used to train Google's AI models (per Google Cloud's data processing terms)
AI responses are stored alongside the assessment record — the AI provider does not retain the request after processing
If AI processing fails or is unavailable, assessments are still scored and stored — AI interpretation is supplementary, not required

HIPAA De-identification Standard §164.514(b)Google Cloud Data Processing Terms

OWASP Top 10 Hardened

Protection against the most critical web security risks

Mindspan's codebase is hardened against the OWASP Top 10 — the industry-standard list of the most critical web application security vulnerabilities.

Injection Prevention (A03:2021)

All database queries use parameterised queries via Supabase's query builder — no raw SQL concatenation
User input is validated and sanitised at every API boundary
Content Security Policy (CSP) headers prevent cross-site scripting (XSS)

Authentication & Access Control (A01, A07:2021)

Authentication handled by Supabase Auth with bcrypt password hashing and configurable MFA
Role-based access control at both API and database (RLS) layers
Server-side middleware validates authentication tokens on every protected route
JWT tokens with short expiry and automatic refresh rotation

Security Misconfiguration & Monitoring (A05, A09:2021)

Security headers enforced: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy
Dependencies monitored for known vulnerabilities via automated scanning
Error messages never expose stack traces or internal system details to end users
Comprehensive audit logging for security-relevant events

OWASP Top 10 (2021)OWASP Application Security Verification Standard

Infrastructure & Architecture

SOC 2 aligned architecture with Australian data residency

Mindspan's infrastructure is designed around SOC 2 trust principles — security, availability, processing integrity, confidentiality, and privacy — hosted entirely within Australian data centres.

Data Residency

Primary database hosted on Supabase (AWS Sydney, ap-southeast-2) — data stays in Australia
Edge functions and static assets served via Vercel's global CDN with Australian edge nodes
No data replication to regions outside Australia without explicit consent

Availability & Reliability

99.9% uptime SLA via Supabase Pro infrastructure
Automated database backups with point-in-time recovery
Serverless architecture eliminates single points of failure
Graceful degradation — if AI services are unavailable, core assessment and scoring continue to function

Audit & Accountability

Every data access and modification is logged with timestamp, actor identity, and action type
Audit logs are immutable and retained for the regulatory minimum period
Incident response procedures documented and tested
Regular security reviews of access policies and infrastructure configuration

SOC 2 Trust Services Criteria (AICPA)Supabase Security & Compliance

Your Data, Your Control

Your data is never sold, shared with advertisers, or used to train AI models. You own your data — always. If you have questions about our security practices or want to exercise your data rights, contact us at info@mindspan.com.au