At rest
AES-256 on the PostgreSQL database and every Cloud Storage bucket, with Cloud KMS-managed keys and per-domain rotation.
You hold some of the most sensitive records in the country. We treat them that way — your participants' data lives in Australia, your records survive everything, and every claim of "compliant" is something you can show an auditor.
Our locked stack: Google Cloud australia-southeast1 (Sydney) · DR in australia-southeast2 (Melbourne) · Essential Eight-aligned by build.
Every piece of participant and worker data is hosted, processed and backed up inside Australian Google Cloud regions. No overseas support desk quietly reading records, no participant record ever crossing a border — the only overseas services we use are operational ones (email delivery, error monitoring) that never carry participant records, and every one is listed on our published subprocessor register.
Where your data lives
Primary · Sydney
australia-southeast1
App · PostgreSQL · Cloud Storage documents · audit anchors
DR & backups · Melbourne
australia-southeast2
Cross-region snapshots · document replication
Both regions are inside Australia — residency is preserved even during a full failover.
Encryption isn't one checkbox. It's applied at every layer data rests or travels, including the offline app that carries care records into dead spots.
AES-256 on the PostgreSQL database and every Cloud Storage bucket, with Cloud KMS-managed keys and per-domain rotation.
TLS 1.2 minimum, 1.3 preferred, HSTS with preload on both domains. No public database endpoints.
The highest-risk identifiers — worker screening numbers, bank details, NDIS numbers — get an extra application-layer encryption pass, searchable via blind index.
The offline store is an encrypted database with a key held in the phone's secure Keychain / Keystore. Remote-wipe and a 7-day offline lock bound a lost phone.
A log you can turn off is just analytics. Ours is append-only and hash-chained: the database role can insert and read, but can't update or delete. Every record links to the one before it by a SHA-256 hash, so any alteration breaks the chain and shows.
Evidence · chain verification
Verifiedexport.claims · Naya S. · 08/07/2026 14:02
prev 9f2a…c1 → hash 4b7e…d0
view.participant · Auditor · 08/07/2026 14:03
prev 4b7e…d0 → hash a15c…8f
sign.agreement · Family/Nominee · 08/07/2026 14:07
prev a15c…8f → hash 77b3…2e
Read, export and signature events all chained. Break one link and verification fails.
Access is a matrix of role × module × action — and "can see" is a different permission from "can change", enforced server-side, not just hidden in the UI. Every role is editable, including a first-class Auditor (read + export only) and Family / Nominee role.
The permission matrix — View and Edit are separate, enforced permissions.
A role with View but not Edit gets a read-only record and a blocked save at the API — not a button that's merely greyed out.
Mask individual fields (43•••••12) and scope rows by region, home or assigned participants — enforced in policy and at the database.
TOTP two-factor is mandatory for any role that can administer or export sensitive data; biometric unlock on mobile.
We build the software so the standard is unmissable — and so you can show, not just claim, alignment. Here's the regulatory surface and how the product answers it.
| Regime | What it requires | How Tendaroo answers it |
|---|---|---|
| Privacy Act 1988 · APPs 1–13 | Collection notices, use limits, security, access & correction, cross-border limits | Collection notice in intake; per-module purpose binding; onshore-only processing; participant record export (APP 12); corrections as new versions (APP 13) |
| NDIS Practice Standards | Accurate, secure, retrievable records; governance & information management | NDIS vocabulary throughout; one-export audit packs for any date range; records stay read-only if billing lapses — never deleted |
| Incident Management & Reportable Incidents Rules 2018 | 24-hour initial + 5-business-day detailed notification; records kept 7 years | Statutory timer engine: category-driven reportability, live countdowns, escalation, validated Commission reference — not configurable off |
| Notifiable Data Breaches scheme | Assess suspected eligible breaches, notify the OAIC and affected individuals | Documented breach runbook; contractual commitment to notify affected providers within 72 hours (see below) |
| Worker Screening Rules · Fair Work s535 | Verify & record clearances; employee records kept 7 years | Screening records with expiry countdowns and roster blocks; 7-year retention on worker and payroll records |
Tendaroo is your data processor; you remain the APP entity and NDIS-regulated party. We build to make your obligations easy to meet and easy to evidence.
Backups are onshore, tested, and long-lived. And there's no lock-in on the data itself: you can export it any time.
≤ 5 min
Recovery point (RPO)
Continuous point-in-time recovery, 35-day window
≤ 4 h
Recovery time (RTO)
Target for a single-region loss, restored onshore
7 years
Record retention
Care, worker and audit records held to statute — soft-delete, never hard-delete in-window
Quarterly
Restore drills
Full restore to staging with checksum verification, logged
Full export any time (JSON + a human-readable PDF pack). On offboarding: export delivered, a 90-day hold, then per-tenant keys are crypto-shredded. The 7-year records duty transfers to you with the export — spelled out in the DPA.
Continuous monitoring, a rehearsed incident runbook, and an incident-response retainer with an Australian firm signed before launch. We commit contractually to notifying affected providers within 72 hours of a confirmed eligible breach.
Where we use AI — like drafting a note from your dictation — it's suggestion-only, stamped "AI-assisted", and always waits for a human to sign off. It processes care data only inside Australia, and it never adds a care action you didn't record.
We're honest about where we are. The controls on this page are live from day one; formal certification is a dated commitment, not a vague "coming soon".
ACSC Essential Eight (ML1) self-assessed; all controls on this page in code; MFA everywhere; policy pack written.
Compliance-automation platform wired to our cloud and code; internal audit; Statement of Applicability.
Stage 1 + Stage 2 certification with a JAS-ANZ-accredited body, scoped to the production platform.
Cyber clearance off the back of ISO certification, opening the path to direct API claiming.
We also run external penetration tests before launch and annually (CREST-accredited AU firm), with dependency, secrets and cloud-posture scanning in continuous CI.
No email wall, no "contact sales". Our security posture is meant to be read before you ever talk to us.
The links just work. Give us your email only if you'd like us to keep you posted.
Start a free trial and see the audit trail, the residency and the role model for yourself — no credit card, no sales call. Or read the whitepaper first; it's right there.