🇳🇿 Coming Soon to New Zealand
Get notified when we launch
Security padlock with circuit board pattern representing data protection

Your Data, Protected

Australian-hosted. Privacy Act compliant. TGA-exempt.

AWS Sydney
TLS 1.3
AES-256
TGA Exempt
Privacy Act 1988

PreConsult is designed from the ground up with security as a core principle. As a healthcare platform handling sensitive patient information, we implement comprehensive security controls that meet and exceed industry standards.

Australian Data Hosting

  • AWS Sydney region (ap-southeast-2)
  • Encryption at rest enabled
  • Automated encrypted backups
  • Full data sovereignty

AI Processing

  • Australian-based processing
  • APP 8 consent for cross-border
  • No model training on your data
  • Human oversight required

TGA Compliance

  • TGA-exempt pathway
  • Human-in-the-loop design
  • Practitioner review required
  • Decision support only

Security Architecture

End-to-end encryption with Australian data sovereignty

PreConsult security architecture diagram showing encrypted data flow from patient through AWS Sydney to practitioner

Authentication & Data Protection

Authentication Security

  • Passwordless authentication

    Email verification codes eliminate credential stuffing and password reuse risks

  • Two-factor authentication

    TOTP-based MFA using authenticator apps for administrative accounts

  • Rate limiting

    Automatic account lockout after repeated failed attempts with email-based recovery

  • Session security

    8-hour inactivity timeout with secure, encrypted session cookies

Data Protection

  • Encryption in transit

    All connections use TLS 1.2+ with HTTPS enforced

  • Encryption at rest

    Database encryption and column-level encryption for PII fields

  • Multi-tenant isolation

    Complete data separation between healthcare organisations

  • Secure tokens

    256-bit cryptographically secure tokens with automatic expiration

  • Session expiration

    Incomplete patient sessions automatically expire after their scheduled appointment time

Clinic Integration Encryption

For automated appointment integrations, we provide end-to-end encryption using industry-leading cryptographic standards.

The same encryption used by Signal, WireGuard, and age file encryption.

Public Key Encryption

NaCl/libsodium sealed boxes using Curve25519 + XSalsa20-Poly1305

Perfect Forward Secrecy

Ephemeral keys protect past communications even if long-term keys are compromised

Asymmetric Design

Clinics hold only the public key; private keys never leave PreConsult

Authenticated Encryption

AEAD provides both confidentiality and integrity with tamper detection

Application Security

Security controls built into every layer of the application

Content Security Policy

Strict CSP prevents XSS attacks

CSRF Protection

All forms protected

Input Validation

All input sanitised

SQL Injection Prevention

Parameterised queries

Secure Headers

HSTS, X-Frame-Options

Webhook Verification

Cryptographic signatures

Security Testing & Compliance

OWASP Top 10 Self Assessment: No Gaps

OWASP Top 10 2025

Self-assessed against the OWASP Top 10 2025 Release Candidate. All categories currently rated low risk with no known outstanding high or medium-severity issues.

Tested against OWASP ASVS Level 2. Self assessment - No Gaps

ASVS Level 2

Self-assessed against OWASP Application Security Verification Standard 4.0.3 Level 2. Key ASVS Level 2 controls implemented across all 14 categories.

Static Analysis

Brakeman scanning with zero active warnings

Dependency Scanning

Automated vulnerability checking

Audit Logging

Comprehensive security event logging

Regular Updates

Rails 8.0, Ruby 3.4

Australian Privacy Principles

PreConsult complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988.

We are committed to transparent management of personal information and maintaining the highest standards of data protection.

APP 1

Open Management

Transparent management of personal information

APP 6

Use & Disclosure

Only for primary purpose or with consent

APP 8

Cross-Border Disclosure

Appropriate consent and safeguards

APP 11

Security

Appropriate security safeguards

Data Lifecycle & Retention

Transparent data handling from collection to deletion

1. Collection Patient completes interview via encrypted connection
2. Processing AI generates suggestions (no PII stored by AI provider)
3. Storage Encrypted at rest in AWS Sydney
4. Access Practitioner reviews via authenticated session
5. Deletion Per retention policy or on request

Configurable Retention

PII retention from 2 hours to 90 days. After the configured retention period, patient identifying information (name, email, phone, DOB) is automatically anonymized while clinical data is preserved for quality improvement.

You choose the retention period that meets your compliance requirements.

No AI Training

Your patient data is never used to train AI models. We use OpenAI's API with zero data retention agreement—prompts and responses are not stored or used for model improvement.

Right to Deletion

Patients can request deletion of their data at any time. Complete data removal is processed within 30 days, with confirmation provided to the requesting party.

AI Safety & Human Oversight

PreConsult uses LLM-native reasoning rather than static rule-based systems. This means our AI draws on current medical knowledge and adapts intelligently to each patient's unique presentation.

The trade-off? Every AI output requires human review. This isn't a limitation—it's a deliberate safety feature that maintains clinical accountability while leveraging AI's strengths.

Current Knowledge

LLM training data reflects current medical literature, guidelines, and clinical practice—automatically staying current without manual content updates.

Human-in-the-Loop

Every suggestion requires practitioner review. Accept, edit, or dismiss—you're always in control of clinical decisions.

Continuous Improvement

As foundation models improve, PreConsult improves automatically. No waiting for manual content updates or specialty module releases.

Any Specialty

No separate modules needed. The same platform handles cardiology, dermatology, mental health, and any other specialty with equal capability.

TGA Regulatory Compliance

PreConsult operates under the TGA clinical decision support software exemption pathway.

Software that provides clinical decision support without making autonomous clinical decisions is exempt from TGA regulation as a medical device, provided appropriate safeguards are in place.

Decision Support Only

We augment clinical decisions, never replace them. All AI outputs are suggestions for consideration, not diagnoses or treatment orders.

Human-in-the-Loop

Every AI suggestion requires explicit practitioner review. Clinicians must Accept, Edit, or Dismiss each recommendation before clinical use.

Non-Prescriptive Language

All suggestions use advisory phrasing such as "commonly associated with" or "consider" — never directive statements.

Patient Safety Design

Clinical assessments are visible only to healthcare practitioners. Patients never see diagnoses or treatment suggestions directly.

Regulated under Australian TGA Exemption Pathway

Complete Audit Trail

Every AI suggestion and practitioner decision is logged with timestamps, enabling full traceability for quality assurance and regulatory compliance. This transparency supports our TGA-exempt status and enables continuous improvement of clinical support quality.

Questions About Security?

If you have questions about our security practices or need to report a security concern, we're here to help.

Contact Security Team

Last updated: January 2026

OWASP and OWASP ASVS are standards of the OWASP Foundation. Our references to them reflect our own internal self-assessments and do not represent official OWASP certification or endorsement.