Concept · synthetic data

Trust

Privacy, security and Australian compliance

Clera handles health information for specialist practices, so the standard is simple: every promise on this page maps to an enforced control, every legal claim maps to an Australian statute, and anything not yet earned - certification in particular - is labelled honestly. The full compliance guide accompanies the pilot pack.

  • Administrative process-state only - performs no clinical triage
  • Australian data residency, enforced by policy
  • Draft-first - nothing sent without human approval
  • Synthetic demo - no real patient data

Six promises

Enforced by design, not asserted in prose

Each promise below is a property of how Clera is built - a practice can hold us to all six in the data processing agreement.

Australian data residency

Everything runs in AWS Sydney, pinned by organisation-level policy - not by a policy document. AI extraction uses Amazon Bedrock's Australia-geography inference profiles; offshore routes are denied and the audit trail proves where every call ran.

No clinical triage

Administrative process-state only - Clera performs no clinical triage. Urgency is only ever the referrer's own words, quoted and attributed; attachments are noted, never interpreted. The extraction schema has no field a clinical judgement could occupy.

Draft-first, always

Nothing leaves Clera without a named staff member approving it. That approval step is also the error firewall: an extraction mistake cannot reach a GP or a record, because a person reviews every draft first.

Never contacts patients

No patient-facing surface, no patient messaging, no patient account exists in the product. Every outbound artefact is a practice-approved draft to a referrer or the practice's own team.

Export freedom

On exit the practice takes everything - original documents, extracted records, the referrer book and the sealed history - machine-readable and free of charge. Then Clera's copy is cryptographically erased by destroying the practice's own encryption key.

Sealed audit trail

Every event is hash-chained the moment it is recorded and anchored daily to write-once storage no one - including Clera - can rewrite. The practice can verify its own history without trusting us, and keeps that ability after leaving.

The audit trail is the practice's evidence, not just ours. If a referral is ever questioned - by a referrer, a regulator, an insurer - the practice holds dated, tamper-evident proof of what arrived and what was done, verifiable by any competent third party.

Privacy Act 1988

The Australian Privacy Principles, mapped to controls

Health information is "sensitive information" under the Privacy Act 1988 (Cth) - the strictest category. Clera handles it solely as the practice's contracted service provider, and commits to full APP coverage from day one. One line per principle; the full compliance guide expands each row.

PrincipleClera's control
APP 1 - open and transparent managementPublished privacy policy, a privacy impact assessment before launch naming every processor, and a nominated privacy contact.
APP 2 - anonymity and pseudonymityPatients deal with their practice, never with Clera; inside Clera, identifiers are tokenised so working systems see tokens, not names.
APP 3 - collectionOnly what arrives in the referral the practice already receives, only on the practice's instruction - no enrichment, no other sources.
APP 4 - unsolicited informationMisdirected documents are quarantined, excluded from extraction and destroyed on schedule.
APP 5 - notificationThe practice's collection notice names Clera; template wording ships in the onboarding pack.
APP 6 - use and disclosureOne purpose only: the contracted service. No secondary use, no sale, no training AI on patient data, ever.
APP 7 - direct marketingNone. Patient information is never used for marketing and Clera never contacts patients.
APP 8 - cross-border disclosureNone. All processing stays in Australia, enforced by policy; AI runs on Bedrock's au.* Australia-geography profiles.
APP 9 - government identifiersMedicare and provider numbers are data on the referral, never Clera's own identifiers.
APP 10 - qualityExtracted fields are always shown beside the original document; low confidence goes to a person, and the original is the record.
APP 11 - securityPer-practice encryption keys, row-level tenant isolation, a tokenised identifier vault, no patient data in logs, and detection on before real data.
APP 11.2 - destructionOffboarding destroys the practice's own encryption key - provable cryptographic erasure, not a best-effort delete.
APP 12 - accessAccess requests go to the practice, and Clera makes it fast: full export, free and machine-readable, at any time.
APP 13 - correctionCorrections are sealed as new events with the original preserved - history is appended, never quietly rewritten.

Beyond the APPs

State law, My Health Record and breaches

Three questions practices ask early, answered in a sentence each - and in full in the compliance guide.

State health-records law

Victoria (Health Records Act 2001), NSW (Health Records and Information Privacy Act 2002) and the ACT (Health Records (Privacy and Access) Act 1997) add their own health privacy principles. Clera runs one national posture at the strictest applicable setting, so the tightest rule wins everywhere.

My Health Record

Clera does not connect to, read from or write to the My Health Record system, holds no My Health Record data, and has no registered role under the My Health Records Act 2012. The front door is the practice's own - a national repository is not part of it.

If a breach ever happens

A written plan under the Notifiable Data Breaches scheme: contain immediately, triage and tell affected practices within 72 hours (our own clock - tighter than the law's 30-day assessment ceiling), then notify the OAIC and individuals as the Privacy Act requires, on a path pre-agreed with each practice.

Sub-processors

The complete list - deliberately short

Every practice signs a data processing agreement - the Australian instrument; a "BAA" is a US concept that does not exist here. The agreement lists these sub-processors, with advance notice of any change and a right to object.

Sub-processorLocation and scopeWhat it sees
Amazon Web Services Sydney (ap-southeast-2), region-pinned by policy All platform infrastructure - compute, database, storage, keys, logs.
Amazon Bedrock (within AWS) Sydney endpoint, au.* Australia-geography inference profiles Raw referral text during extraction only - not retained, not used for training. Offshore profiles denied by policy.
Cloudflare Global edge network The static app shell and this website only. No patient data transits or rests on Cloudflare.
No others. No offshore support tooling with data access, no third-party analytics on patient data, no data brokers. The practice's own mailbox and fax-to-email providers are contracted by the practice, not by Clera.

Certification, honestly

What is earned, what is committed, what is not yet

Plenty of vendors imply certifications they do not hold. Clera's ladder is public, and each rung is labelled with its real status.

Today - concept, synthetic data only. No certification is claimed, because none has been earned yet. No real patient data is held, and none will be until every launch gate below holds.
At launch - committed gates. Essential Eight alignment, an independent penetration test, a privacy impact assessment, executed data processing agreements, insurance, and TGA-experienced counsel signing off the intended-purpose statement. Alignment is engineering to a published bar - it is not a certificate, and we will not describe it as one.
At growth - ISO 27001. On the roadmap once the team and customer base justify a certifiable management system rather than a paper one.
Government and hospital work - IRAP. Only when a contract requires it. Not claimed, not implied.
Not yet certified. That sentence stays on this page until a certificate exists - and when one does, it will link to the certificate, not to a badge.