Security & privacy

NDIScribe handles participant clinical documentation. We treat that as the most-sensitive data we touch.

Australian-hosted primary database and files. Built and operated under Australian Privacy Principles, NDIS Practice Standards information-management indicators, and the ACSC Essential Eight.
De-identification before AI processing. Participant and worker names are tokenised before any data leaves Australia for AI analysis. Token maps never persist.
Multi-tenant isolation at the database row level — your data is never accessible to another provider organisation.
MFA required for every user. Immutable, hash-chained audit log retained for at least 7 years.
SOC 2 Type I underway. Customer DPA + subprocessor list available under NDA on request.

For our full data processing addendum, subprocessor list, and security questionnaire, email security@ndiscribe.com and we'll send the package under a mutual NDA.