Security
How we protect your data and ensure compliance with healthcare standards.
PreConsult is designed from the ground up with security as a core principle. As a healthcare platform handling sensitive patient information, we implement comprehensive security controls that meet and exceed industry standards.
Australian Data Hosting
All primary data processing and storage occurs on secure infrastructure located within Australia.
- Primary infrastructure hosted in AWS Sydney region (ap-southeast-2)
- Database servers with encryption at rest enabled
- Automated encrypted backups within Australian data centres
- Data sovereignty maintained for all patient health information
AI Processing
PreConsult uses artificial intelligence to assist with patient history collection and clinical decision support. We are transparent about how AI processing works:
- Australian-based processing - AI chat interviews are normally processed on infrastructure located in Australia
- Cross-border processing - When AI processing occurs outside Australia, patients are informed and provide consent in accordance with APP 8
- No model training - Your patient data is never used to train AI models
- Human oversight - All AI suggestions require GP review before clinical use (TGA-exempt compliance)
We comply with Australian Privacy Principle 8 (APP 8) regarding cross-border disclosure of personal information. Patients are informed and provide consent before any overseas processing occurs.
Authentication Security
We use modern, secure authentication methods:
- Passwordless authentication - Email verification codes significantly reduce password-related risks such as credential stuffing and password reuse
- Two-factor authentication - TOTP-based MFA using authenticator apps for administrative accounts
- Rate limiting - Protection against brute force attacks with automatic lockout after failed attempts
- Session security - Automatic timeout after 8 hours of inactivity with secure, encrypted session cookies
Data Protection
Multiple layers of protection for sensitive information:
- Encryption in transit - All connections use TLS 1.2+ with HTTPS enforced
- Encryption at rest - Database encryption and column-level encryption for PII fields
- Multi-tenant isolation - Complete data separation between healthcare organisations
- Automatic session expiration - Incomplete patient sessions automatically expire after their scheduled appointment time
- Secure tokens - 256-bit cryptographically secure tokens for all patient access links
Application Security
Security controls built into the application:
- Content Security Policy - Strict CSP prevents cross-site scripting (XSS) and injection attacks
- CSRF protection - All forms protected against cross-site request forgery
- Input validation - All user input validated and sanitised
- SQL injection prevention - Parameterised queries throughout
- Secure headers - HSTS, X-Content-Type-Options, X-Frame-Options configured
Security Testing & Compliance
We regularly assess our security posture against industry standards:
OWASP Top 10 2025
Self-assessed against the OWASP Top 10 2025 Release Candidate. All categories currently rated low risk with no known outstanding high or medium-severity issues.
ASVS Level 2
Self-assessed against OWASP Application Security Verification Standard 4.0.3 Level 2. Key ASVS Level 2 controls implemented across all 14 categories.
Our ongoing security practices include:
- Static analysis - Brakeman security scanning integrated into our CI pipeline; all identified high and medium-severity findings remediated before release
- Dependency scanning - Automated vulnerability checking for all dependencies
- Security audit logging - Comprehensive logging of all security events with PII masking
- Regular updates - Framework and dependencies kept current (Rails 8.0, Ruby 3.4)
Australian Privacy Principles
PreConsult complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988:
- APP 1 - Open and transparent management of personal information
- APP 6 - Use and disclosure only for primary purpose or with consent
- APP 8 - Cross-border disclosure with appropriate consent and safeguards
- APP 11 - Security of personal information with appropriate safeguards
TGA Regulatory Status
PreConsult operates under the TGA clinical decision support software exemption pathway. All AI-generated suggestions are presented to qualified healthcare practitioners for review and acceptance before any clinical use. This human-in-the-loop design ensures patient safety while enabling innovation.
Contact Us
If you have questions about our security practices or need to report a security concern, please contact us at security@preconsult.ai.
Last updated: November 2025
OWASP and OWASP ASVS are standards of the OWASP Foundation. Our references to them reflect our own internal self-assessments and do not represent official OWASP certification or endorsement.