Doctor reviewing digital medical imaging on tablet

Security

Your patients' data is sacred. We treat it that way.

Security is built into every layer of SimpleRef. Focus on patient care, not IT.

Your data stays in Australia

All of your patient and practice data is hosted on Australian servers. Payment processing runs through Stripe (PCI-compliant), which only handles limited billing data, never clinical records. Optional AI features (DocBot) may process document data through external infrastructure. See our Privacy Policy for details.

Only your team can see your data

Each practice is completely separate. One practice can never see another's data. Staff see only what their role allows, so admins, staff, and doctors each have appropriate access. You can also add multi-factor authentication for extra protection.

Everything is encrypted

Your data is encrypted when it is stored and when it is sent between your browser and our servers. Industry-standard encryption protects your information at every step.

Every action is logged

A full audit trail records who did what and when. Daily security monitoring alerts us to anything unusual. This gives you complete transparency for compliance requirements.

We back up your data daily

Automated daily backups ensure your data is always recoverable. You control your own data retention policies. If something goes wrong, we can restore your information.

Enterprise-grade infrastructure

Our infrastructure handles uptime, physical security, and network protection. We target 99.9% uptime so your practice can rely on SimpleRef every day.

Technical details for IT teams

Encryption

AES-256 encryption at rest. TLS 1.2+ for all data in transit. Application-level AES-256-GCM encryption for sensitive credentials and backup data.

Access Control

Five role-based access control (RBAC) levels: Super Admin, Admin, Staff, Shared Staff, and Doctor. TOTP-based multi-factor authentication. Automatic 3-hour idle session timeout.

Application Security

Token-bucket rate limiting on sensitive endpoints. Request idempotency guards on critical operations. Application-level request attestation.

Tenant Isolation

Database-level tenant isolation with server-side security rules. Each practice's data is fully segregated at the database level. Cross-tenant data access is architecturally impossible.

Infrastructure

Hosted on Australian infrastructure. Secure identity platform for authentication. Daily automated backups with configurable data retention policies.

Questions?

Have security questions?

We're happy to discuss our security practices in detail.

Get in Touch