Trust
Privacy, security and Australian compliance
Clera handles health information for specialist practices, so the standard is simple: every promise on this page maps to an enforced control, every legal claim maps to an Australian statute, and anything not yet earned - certification in particular - is labelled honestly. The full compliance guide accompanies the pilot pack.
- Administrative process-state only - performs no clinical triage
- Australian data residency, enforced by policy
- Draft-first - nothing sent without human approval
- Synthetic demo - no real patient data
Six promises
Enforced by design, not asserted in prose
Each promise below is a property of how Clera is built - a practice can hold us to all six in the data processing agreement.
Australian data residency
Everything runs in AWS Sydney, pinned by organisation-level policy - not by a policy document. AI extraction uses Amazon Bedrock's Australia-geography inference profiles; offshore routes are denied and the audit trail proves where every call ran.
No clinical triage
Administrative process-state only - Clera performs no clinical triage. Urgency is only ever the referrer's own words, quoted and attributed; attachments are noted, never interpreted. The extraction schema has no field a clinical judgement could occupy.
Draft-first, always
Nothing leaves Clera without a named staff member approving it. That approval step is also the error firewall: an extraction mistake cannot reach a GP or a record, because a person reviews every draft first.
Never contacts patients
No patient-facing surface, no patient messaging, no patient account exists in the product. Every outbound artefact is a practice-approved draft to a referrer or the practice's own team.
Export freedom
On exit the practice takes everything - original documents, extracted records, the referrer book and the sealed history - machine-readable and free of charge. Then Clera's copy is cryptographically erased by destroying the practice's own encryption key.
Sealed audit trail
Every event is hash-chained the moment it is recorded and anchored daily to write-once storage no one - including Clera - can rewrite. The practice can verify its own history without trusting us, and keeps that ability after leaving.
Privacy Act 1988
The Australian Privacy Principles, mapped to controls
Health information is "sensitive information" under the Privacy Act 1988 (Cth) - the strictest category. Clera handles it solely as the practice's contracted service provider, and commits to full APP coverage from day one. One line per principle; the full compliance guide expands each row.
| Principle | Clera's control |
|---|---|
| APP 1 - open and transparent management | Published privacy policy, a privacy impact assessment before launch naming every processor, and a nominated privacy contact. |
| APP 2 - anonymity and pseudonymity | Patients deal with their practice, never with Clera; inside Clera, identifiers are tokenised so working systems see tokens, not names. |
| APP 3 - collection | Only what arrives in the referral the practice already receives, only on the practice's instruction - no enrichment, no other sources. |
| APP 4 - unsolicited information | Misdirected documents are quarantined, excluded from extraction and destroyed on schedule. |
| APP 5 - notification | The practice's collection notice names Clera; template wording ships in the onboarding pack. |
| APP 6 - use and disclosure | One purpose only: the contracted service. No secondary use, no sale, no training AI on patient data, ever. |
| APP 7 - direct marketing | None. Patient information is never used for marketing and Clera never contacts patients. |
| APP 8 - cross-border disclosure | None. All processing stays in Australia, enforced by policy; AI runs on Bedrock's au.* Australia-geography profiles. |
| APP 9 - government identifiers | Medicare and provider numbers are data on the referral, never Clera's own identifiers. |
| APP 10 - quality | Extracted fields are always shown beside the original document; low confidence goes to a person, and the original is the record. |
| APP 11 - security | Per-practice encryption keys, row-level tenant isolation, a tokenised identifier vault, no patient data in logs, and detection on before real data. |
| APP 11.2 - destruction | Offboarding destroys the practice's own encryption key - provable cryptographic erasure, not a best-effort delete. |
| APP 12 - access | Access requests go to the practice, and Clera makes it fast: full export, free and machine-readable, at any time. |
| APP 13 - correction | Corrections are sealed as new events with the original preserved - history is appended, never quietly rewritten. |
Beyond the APPs
State law, My Health Record and breaches
Three questions practices ask early, answered in a sentence each - and in full in the compliance guide.
State health-records law
Victoria (Health Records Act 2001), NSW (Health Records and Information Privacy Act 2002) and the ACT (Health Records (Privacy and Access) Act 1997) add their own health privacy principles. Clera runs one national posture at the strictest applicable setting, so the tightest rule wins everywhere.
My Health Record
Clera does not connect to, read from or write to the My Health Record system, holds no My Health Record data, and has no registered role under the My Health Records Act 2012. The front door is the practice's own - a national repository is not part of it.
If a breach ever happens
A written plan under the Notifiable Data Breaches scheme: contain immediately, triage and tell affected practices within 72 hours (our own clock - tighter than the law's 30-day assessment ceiling), then notify the OAIC and individuals as the Privacy Act requires, on a path pre-agreed with each practice.
Sub-processors
The complete list - deliberately short
Every practice signs a data processing agreement - the Australian instrument; a "BAA" is a US concept that does not exist here. The agreement lists these sub-processors, with advance notice of any change and a right to object.
| Sub-processor | Location and scope | What it sees |
|---|---|---|
| Amazon Web Services | Sydney (ap-southeast-2), region-pinned by policy | All platform infrastructure - compute, database, storage, keys, logs. |
| Amazon Bedrock (within AWS) | Sydney endpoint, au.* Australia-geography inference profiles | Raw referral text during extraction only - not retained, not used for training. Offshore profiles denied by policy. |
| Cloudflare | Global edge network | The static app shell and this website only. No patient data transits or rests on Cloudflare. |
Certification, honestly
What is earned, what is committed, what is not yet
Plenty of vendors imply certifications they do not hold. Clera's ladder is public, and each rung is labelled with its real status.