Compliance Is Non-Negotiable
We build and operate IRIS to the standards health services expect — Australian Privacy Act, APPs, GDPR where applicable, and a clear boundary: no patient data, ever.
Healthcare technology decisions are scrutinised by risk, legal, and procurement. You need vendors who can articulate their compliance posture, demonstrate controls, and stay within scope — so you’re not left explaining someone else’s overreach. Our commitment is simple: we comply with the frameworks that apply to our product, we don’t handle patient data, and we document how we do it.
The Frameworks We Meet
We don’t claim certifications we don’t hold. Where we rely on a provider’s certification (Render, AWS), we say so clearly and point to their artefacts.
| Framework | Scope | Our Posture |
|---|---|---|
| Privacy Act 1988 (Cth) | Australian organisations handling personal information | ✓ Compliant |
| Australian Privacy Principles (APPs) | All 13 principles | ✓ Implemented |
| Notifiable Data Breaches (NDB) Scheme | Eligible data breaches — Australian organisations | ✓ Procedures in place |
| GDPR | EU-based staff (e.g. global teams with EU members) | ✓ Compliant — data subject rights and safeguards in place |
| SOC 2 Type II | Infrastructure security, availability, confidentiality | Inherited — Render & AWS |
| ISO/IEC 27001:2022 | Information security management | Inherited — Render & AWS |
What We Handle — and What We Don’t
IRIS is a workforce rostering system. We handle staff and scheduling data only. That boundary is deliberate, technically enforced, and it significantly simplifies your compliance picture.
Workforce Data
- Staff names and contact details
- Employment and role data
- Schedules, shifts, and leave
- Qualifications and skills
- Availability preferences
Patient & Sensitive Data
- Patient identifiers, MRN, date of birth
- Clinical notes, diagnoses, treatments
- Health records or My Health Record data
- Payment card data or Medicare numbers
- Any other health information as defined by legislation
Applicable, Conditional, or Not Applicable
Because IRIS holds workforce data only, several major frameworks simply don’t apply. This is not a loophole — it’s the result of a deliberate design boundary.
Australian organisations handling personal information. Fully compliant; all 13 APPs implemented.
Eligible data breach notification obligations. Procedures are in place.
Applies where your organisation has EU-based staff. Data subject rights and transfer safeguards in place.
We don’t interact with My Health Record or store health record data of any kind.
We don’t hold “health information” as defined under state and territory health records legislation.
We have assessed HIPAA applicability and determined it does not apply — we don’t process protected health information (PHI).
We don’t process, store, or transmit payment card data.
Held by Render and AWS. We rely on and reference their certified artefacts.
Held by Render and AWS. We rely on and reference their certified artefacts.
Built to Answer the Hard Questions
Your risk and procurement teams will ask: who has access, where is data, how is it protected, and what happens if something goes wrong. We’re built to answer all of these.
Privacy Policy
Our Privacy Policy documents what data we collect, how we use it, and your rights under the Australian Privacy Act and GDPR where applicable. Publicly available and kept current.
Technical Controls
Encryption at rest and in transit, RBAC, SSO, MFA, audit logging, and secure development practices. Documented and verifiable through our infrastructure providers’ certified artefacts.
Data Handling Terms
Clear contractual data handling terms, subprocessor transparency, and defined data retention and deletion obligations. We are clear about what we hold, why, and for how long.
Operational Practices
We operate with security and privacy practices including access control, incident response procedures, and periodic reviews. These are ongoing, not one-off exercises.
GDPR and Cross-Border Clarity
If your organisation has EU-based staff, GDPR applies to their personal data. Here’s exactly what we do.
Data Subject Rights
We support access, rectification, portability, and erasure requests for EU-based staff data — as required under GDPR Articles 15–20.
International Transfer Safeguards
Where data is transferred internationally, we apply appropriate contractual and technical safeguards. Our data residency page documents where data lives by region.
Lawful Basis & Purpose Limitation
We document lawful basis and purpose limitation for all processing of personal data — a core GDPR requirement we apply globally, not only for EU staff.
HIPAA — Our Assessment
We have assessed HIPAA applicability. Our conclusion is that HIPAA does not apply to IRIS because we do not process protected health information (PHI). Staff location in the US does not change that. We’re happy to explain this assessment in procurement discussions.
Compliance Is How We Run the Product
Not a single audit, not a checkbox. Security and privacy are part of design and operations — ongoing by default.
Ongoing
Security and privacy are designed into the product from the start — not retrofitted. Every feature and change goes through the same security lens.
Reviewed
We review policies and controls periodically and after significant changes to the product, infrastructure, or regulatory environment.
Transparent
Scope (workforce only), regions (Singapore / AWS Sydney), and certifications (ours and our providers’) are all documented clearly — not buried in fine print.
What Defines Our Compliance Posture
Australian Frameworks
Privacy Act, all 13 APPs, and NDB Scheme — documented and implemented.
Global-Ready
GDPR for EU staff. HIPAA assessed — not applicable. No PHI means no PHI obligations.
No Patient Data
Technically enforced. Simplifies scope — no MHR, state health acts, or HIPAA.
Demonstrable
Privacy policy, technical controls, data handling terms, and provider certifications.
Let’s Have the Compliance Conversation
See our Privacy and Security pages for full detail — or contact us directly for procurement, risk, and assurance discussions.