Security & Data Protection

No Patient Data Stored

Privacy by design — TeleCheck processes postcodes in real time and does not store patient names, Medicare numbers, or clinical records. Only the postcode and eligibility result are logged for compliance.

Encrypted in Transit

Every connection uses HTTPS with TLS encryption. API calls, web portal sessions, SSO exchanges, and embed widget requests are all encrypted end to end.

Australian Compliance

Built for Australian healthcare. Compliant with the Privacy Act 1988 and Australian Privacy Principles (APPs). Data sourced from DisasterAssist.gov.au, the official government source.

• Supabase Auth with email/password and SSO/SAML support
• Session-based authentication with secure HTTP-only cookies
• Subscription-gated middleware — only active subscribers access the portal
• Role-based permissions: owner, admin, practitioner, reception
• Team member lifecycle management (invite, suspend, remove)

• API keys stored as SHA-256 hashes — never in plaintext
• Rate limited to 100 requests per minute per key
• Instant key rotation and revocation from the dashboard
• Every request audit logged with postcode, timestamp, and result
• Keys shown once on generation — cannot be retrieved afterwards

• Enterprise identity provider integration (Okta, Azure AD, Google Workspace)
• No TeleCheck passwords needed — authentication delegated to your IdP
• Automatic organisation linking on first sign-in
• Admin-managed provider registration
• SAML assertions validated server-side before granting access

• Separate embed token (not your API key) — isolated credential scope
• 3-layer domain restriction: CSP frame-ancestors, Origin validation, and token validation
• Rate limited to 100 requests per minute per token
• Every check audit logged with source identified as 'embed'
• Instant token revocation from the dashboard

PostgreSQL hosted on SOC 2 Type II and ISO 27001 certified infrastructure. Row Level Security enforced on all tables.

PCI DSS Level 1 compliant. TeleCheck never handles or stores card numbers — all payment processing is delegated to Stripe.

Edge network with automatic DDoS protection, global CDN, and isolated serverless function execution.

Transactional emails sent via authenticated DKIM/SPF-verified domain (support@telecheck.com.au).

Complete Audit Trail

Every eligibility check is logged with the postcode, timestamp, source (web, API, PMS webhook, or embed), and result. This provides the documentation needed for AGRN compliance and Medicare audit defence.

Australian Regulatory Compliance

• Privacy Act 1988 & Australian Privacy Principles (APPs)
• Data sourced from DisasterAssist.gov.au (official government source)
• No patient identifiable information collected or stored
• Australian-owned and operated (ABN: 12048148174)

Authentication

Password-based login with minimum 8-character requirement, or SSO/SAML 2.0 for enterprise clinics that prefer centralised identity management.

Credential Revocation

API keys and embed tokens can be revoked instantly from your dashboard. Revoked credentials are rejected on the very next request — no propagation delay.

Subscription Gating

Middleware verifies active subscription status on every authenticated request. If a subscription lapses, API keys are automatically revoked and webhooks disabled.