Trust Centre
Your health data deserves the highest standard of protection. Here is how exora keeps it safe.
Data protection
Data residency
All data is stored in Sydney, Australia on Australian-hosted infrastructure. Your health data never leaves Australian jurisdiction. This includes your documents, extracted health records, and personal information.
Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Documents, health records, and personal information are protected by industry-standard cryptography at every stage.
Access and authentication
Access control
Every database query is scoped to the authenticated user through row-level security policies. This is enforced at the database level, not just the application layer. No user can access another user's data - including exora staff.
Authentication
Passwordless sign-in via one-time codes sent to your email or phone. No passwords to steal, leak, or forget. Optional biometric app lock with Face ID, Touch ID, or fingerprint provides an additional layer of protection.
AI processing and your data
Your documents are processed by AI to extract and structure health information. Our primary AI provider is Google Cloud Gemini Enterprise, with OpenAI and Anthropic available for specific features.
Under our paid commercial API agreements, your health data is never used for AI model training by any provider.
Data is processed and returned. Google Cloud Gemini Enterprise has server-side data caching disabled at the project level - inputs and outputs are not retained after the request completes. Other providers may retain data for up to 30 days for safety monitoring under their commercial API terms.
Storage and worker compute are in Sydney, Australia. AI inference itself uses Google Cloud Gemini Enterprise via Google's global endpoint under our signed Cloud Data Processing Addendum, with project-level data caching disabled. Other providers (OpenAI, Anthropic) may also process AI inference under their commercial API terms when used.
You own your data. Always.
exora is a custodian, not an owner. You decide who sees your data, how it is shared, and when it is deleted. Delete your account and all your data is permanently removed within 30 days. No questions. No retention. No exceptions.
Compliance
Australian Privacy Act
Designed to comply with the Australian Privacy Principles (APPs) including enhanced protections for health information.
Notifiable Data Breaches
Documented incident response plan covering detection, containment, notification to OAIC and affected users.
Pursuing ISO 27001
Working towards international information security management certification.
HIPAA Readiness
Building towards HIPAA compliance for future international expansion.
Subprocessors
Third-party partners who help us securely process your data.
All providers operate under data processing agreements. For a complete list or to request our DPA, contact hello@exora.au
Need more detail?
If you are evaluating exora for a partnership, integration, or procurement process, we can provide additional security documentation on request.
Contact usSee also: Privacy Policy | Terms of Service | Cookie Policy