Features Pricing Security Blog
Log in Get Started

Security

The NDIS Platform stores sensitive health and disability information for some of Australia's most vulnerable people. We take this responsibility seriously.

Data Residency

All customer data is stored in AWS ap-southeast-2 (Sydney, Australia). No personal information is transferred outside Australia. This includes:

  • Database (Amazon RDS PostgreSQL — Sydney)
  • File storage (Amazon S3 — Sydney)
  • Cache and sessions (Amazon ElastiCache Redis — Sydney)
  • Email delivery (Amazon SES — Sydney)

Encryption

In Transit

All connections use TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a one-year max-age and includeSubDomains directive.

At Rest

  • Database encryption: AWS KMS customer-managed keys (AES-256)
  • Field-level encryption: Sensitive health data (disabilities, clinical notes, incident descriptions) is encrypted at the application level before storage
  • File storage: S3 server-side encryption with KMS keys
  • Backups: Encrypted with the same KMS keys

Authentication

  • Password policy: 12-character minimum, checked against the HaveIBeenPwned breach database
  • Password hashing: bcrypt with cost factor 12
  • Two-factor authentication: TOTP-based 2FA is mandatory for Owner, Admin, Finance, and Auditor roles
  • Session management: 8-hour token expiry for staff; 30-minute session timeout for the family portal
  • Account lockout: 5 failed attempts trigger a 15-minute lockout

Authorisation

  • Role-based access control: 7 predefined roles with 34 granular permission keys
  • Policy-based entity access: 17 model-level authorisation policies ensure users can only access data relevant to their role
  • Multi-tenant isolation: Every query is automatically scoped to the authenticated tenant. There is no way for one organisation to access another's data.

Multi-Tenant Isolation

Tenant isolation is enforced at three layers:

  1. Application layer: A global Eloquent scope automatically filters every query by tenant_id
  2. Context layer: A request-scoped TenantContext singleton ensures the correct tenant is set before any data access
  3. Database layer: PostgreSQL Row-Level Security (RLS) policies act as a backstop, preventing cross-tenant access even if the application layer is bypassed

Audit Logging

Every significant action is recorded in an append-only, hash-chained audit log. Each entry includes a SHA-256 hash linking it to the previous entry, creating a tamper-evident chain. A daily automated job verifies the integrity of the entire chain.

The audit log is retained for 7 years in compliance with Australian record-keeping requirements.

Content Security Policy

  • Nonce-based script execution: Only scripts with a per-request cryptographic nonce can execute
  • No inline scripts: Prevents cross-site scripting (XSS) attacks
  • Frame protection: frame-ancestors 'none' prevents clickjacking

Infrastructure

  • Hosting: AWS Sydney region, ISO 27001 and SOC 2 Type II certified
  • Network: VPC with public/private subnet separation; database and cache in private subnets
  • Containers: Immutable Docker deployments
  • Monitoring: CloudWatch metrics, Sentry error tracking, health and status endpoints

Incident Response

We maintain a Notifiable Data Breach (NDB) response runbook aligned with the Privacy Act 1988 Part IIIC:

  • Containment: Target within 1 hour of detection
  • Assessment: Determine NDB eligibility within 72 hours
  • Notification: OAIC and affected individuals notified within 30 days (or 72 hours for critical health data breaches)

Compliance

Framework Status
Australian Privacy Act 1988 (APPs 1-13)Aligned
Notifiable Data Breaches scheme (Part IIIC)Runbook documented
NDIS Practice StandardsPlatform supports evidence collection
SOC 2 Type I (Trust Services Criteria)Controls mapped
ISO 27001:2022 (Annex A)Controls mapped

Security Testing

  • Automated testing: 1,000+ tests including multi-tenant isolation, endpoint security, and RBAC enforcement
  • Static analysis: PHPStan level 8 (strictest) with zero errors
  • Penetration testing: Annual assessment by a CREST-accredited firm

Responsible Disclosure

If you discover a security vulnerability, please report it to security@tendaroo.com. Our security.txt file is available at /.well-known/security.txt.

Data Processing Agreement

We offer a Data Processing Addendum (DPA) to all customers covering processor obligations, security measures, data residency guarantees, breach notification within 24 hours, and audit rights. Contact hello@tendaroo.com for a copy.

Questions?

For security-related questions: security@tendaroo.com

For privacy-related questions: privacy@tendaroo.com