SECURITY

How we protect your data.

Plain language. No jargon.

Last updated 21 April 2026

01 / Practices

The day-to-day controls.

01 /
Australian data residency
All data is stored in AWS ap-southeast-2 (Sydney, Australia) via Supabase. Your data never leaves the country.
02 /
Encryption
AES-256 encryption at rest for all stored data. TLS encryption in transit for every connection.
03 /
Access control
Row-Level Security (RLS) ensures strict data isolation between organisations. Role-based access control within each organisation.
04 /
Multi-factor authentication
TOTP-based MFA available for all user accounts. Organisations can enforce MFA for their team.
05 /
Backups & recovery
Daily automated backups with point-in-time recovery via Supabase.
06 /
Breach response
Documented data breach response plan aligned with the Notifiable Data Breaches scheme. Notification to OAIC and affected individuals as soon as practicable, per the NDB scheme.

02 / Infrastructure

01 /
Hosting
ori.tools is built on Supabase for database and authentication, and Vercel for application hosting. Our infrastructure provider, Supabase, holds SOC 2 Type II certification.
02 /
Engineering practice
We follow standard engineering security practices and keep dependencies patched. We don't currently hold an independent SOC 2 or Essential Eight audit at the application layer — we'll say so here when that changes.

03 / Compliance posture

01 /
Privacy Act 1988 (Cth)
Built against the 13 Australian Privacy Principles.
02 /
Essential Eight
Informed by ACSC guidance; specific controls documented in our internal runbooks.
03 /
Notifiable Data Breaches scheme
Documented breach response plan with OAIC notification within statutory windows.
04 /
Aged Care Act 2024
Designed to support providers' regulatory obligations under the Strengthened Quality Standards.

04 / Contact

For security inquiries or to report a vulnerability: security@ori.tools

Read our full Privacy Policy.