Your patients' data is sacred. We treat it that way.
Security is built into every layer of SimpleRef — so you can focus on patient care, not IT.
Your data stays in Australia
All of your patient and practice data is hosted in Sydney on Google Cloud. No patient information leaves the country. Payment processing runs through Stripe (PCI-compliant), which only handles limited billing data — never clinical records.
Only your team can see your data
Each practice is completely separate — one practice can never see another's data. Staff see only what their role allows, so admins, staff, and doctors each have appropriate access. You can also add multi-factor authentication for extra protection.
Everything is encrypted
Your data is encrypted when it is stored and when it is sent between your browser and our servers. Industry-standard encryption protects your information at every step.
Every action is logged
A full audit trail records who did what and when. Daily security monitoring alerts us to anything unusual. This gives you complete transparency for compliance requirements.
We back up your data daily
Automated daily backups ensure your data is always recoverable. You control your own data retention policies. If something goes wrong, we can restore your information.
Built on Google Cloud
Google's infrastructure handles uptime, physical security, and network protection. We target 99.9% uptime so your practice can rely on SimpleRef every day. Google Cloud is trusted by millions of businesses worldwide.
Technical details for IT teams
Encryption
AES-256 encryption at rest via Google Cloud default encryption. TLS 1.2+ for all data in transit. Application-level AES-256-GCM encryption for sensitive credentials and backup data.
Access Control
Five role-based access control (RBAC) levels: Super Admin, Admin, Staff, Shared Staff, and Doctor. TOTP-based multi-factor authentication via Firebase Identity Platform. Automatic 3-hour idle session timeout.
Application Security
Firebase App Check for request attestation. Token-bucket rate limiting on sensitive endpoints. Request idempotency guards on critical operations.
Tenant Isolation
Firestore subcollection-based tenant isolation with server-side security rules. Each practice's data is fully segregated at the database level. Cross-tenant data access is architecturally impossible.
Infrastructure
Hosted on Google Cloud (australia-southeast1, Sydney). Firebase Identity Platform for authentication. Daily automated backups with configurable data retention policies.