NoteGate™ is built for Australian health and disability services. Every technical and operational control is designed to meet NDIS and Aged Care regulatory requirements.
Controls mapped to ISO 27001:2022 Annex A and ASD Essential Eight
TOTP-based MFA available for all user accounts. Aligns with ASD Essential Eight #7. Admins can enforce MFA organisation-wide.
Active - A.9.4.2 / E8 #7Accounts lock for 15 minutes after 5 consecutive failed login attempts. Protects against credential stuffing and brute-force attacks.
Active - A.9.4.2Six granular roles: Super Admin, Tenant Admin, Clinical Admin, Supervisor, Support Worker, Read Only. Workers are scoped to assigned participants only.
Active - A.9.1 / A.9.2Minimum 12 characters. Bcrypt hashing (cost factor 12). Session tokens invalidated immediately on password change. Secure reset via time-limited email token.
Active - A.9.4.3Every authentication event, password change, MFA action, and access decision is logged with timestamp, IP address, and user agent. Retained 12 months.
Active - A.12.4All data stored exclusively on AWS Sydney (ap-southeast-2). S3 bucket policy includes a region-deny condition preventing data from leaving Australia.
Active - A.11.2 / APP 8TLS 1.2+ enforced on all endpoints via AWS CloudFront. HTTP is not served. Internal API communication is TLS-secured. HSTS headers enforced.
Active - A.10.1 / A.13.1managed database encrypted with AES-256 (AWS KMS). S3 objects encrypted with SSE-S3. Application volumes encrypted at rest.
Active - A.10.1Participant identifiers are tokenised before transmission to any AI processing provider. Zero Data Retention agreement in place. Every AI call is logged.
Active - A.18.1.4 / APP 8Helmet.js enforces Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and HSTS on all API responses.
Active - A.13.1 / A.14.2Authentication endpoints: 10 requests per 15 minutes per IP. All other endpoints: 100 requests per 15 minutes. Protects against automated attacks.
Active - A.9.4.2All API inputs validated with Zod schema enforcement. SQL injection prevented by parameterised queries. CORS restricted to notegate.com.au subdomains.
Active - A.14.2| Control | Annex A ref | Implementation | Status |
|---|---|---|---|
| Access control policy | A.5.15 | RBAC enforced at API middleware layer on every request | Active |
| Identity management | A.5.16 | UUID-based user identity, tenant-scoped, bcrypt(12) credentials | Active |
| Authentication information | A.5.17 | 12-char min, bcrypt(12), forced reset on first login, self-service reset | Active |
| Access rights | A.5.18 | Worker scope limited to assigned participants; role checks on every route | Active |
| Use of cryptography | A.5.10 / A.8.24 | AES-256 at rest (KMS), TLS 1.2+ in transit, bcrypt for passwords | Active |
| Secure authentication | A.8.5 | JWT tokens, account lockout (5 attempts / 15 min), MFA available | Active |
| Privileged access | A.8.2 | Super Admin role scoped to platform operations; tenant admins scoped to own org | Active |
| Event logging | A.8.15 | Winston structured JSON logs (CloudWatch). Security audit log table with all auth events | Active |
| Monitoring | A.8.16 | ECS health checks, CloudWatch metrics, structured error logging | Active |
| Web filtering / input validation | A.8.23 | Zod schema validation, parameterised queries , CORS restriction | Active |
| Information transfer | A.5.14 | TLS enforced, HSTS, no sensitive data in URLs, presigned S3 for file access | Active |
| Protection of records | A.5.33 | Soft-delete only (no hard deletes on clinical records), audit trail on all approvals | Active |
| Privacy & PII protection | A.5.34 | APPs compliance, de-identification before AI, data residency in Australia | Active |
| Incident management | A.5.26 | SIRS-ready incident module, structured logging for investigation evidence | Active |
| Backup | A.8.13 | Managed database automated daily backups, 7-day retention, point-in-time recovery | Active |
| Network security | A.8.20 | ECS tasks in VPC, RDS not publicly accessible, CloudFront WAF-ready | Active |
| Secure development | A.8.25 / A.8.28 | Zod validation, no raw SQL, ORM layer, dependency pinning, Docker build | Active |
| Multi-factor authentication | A.8.5 / E8 #7 | TOTP (RFC 6238) via otplib. QR code onboarding. Admin can enforce per-org. | Active |
| Legislation / Standard | Obligation | How NoteGate™ satisfies it |
|---|---|---|
| Privacy Act 1988 (Cth) - APPs | APP 1: Open & transparent management | This page, privacy policy, and in-app disclosure |
| APP 6: Use or disclosure | Data used only for service delivery; no sale or model training | |
| APP 8: Cross-border disclosure | ZDR agreement + our de-identification service; data stays in Australia | |
| APP 11: Security | Encryption at rest/transit, RBAC, MFA, audit log | |
| NDIS Act 2013 - Part 7 | Protected NDIS information | Tenant-scoped isolation; worker scoped to assigned participants only |
| Aged Care Act 2024 | Information security | AES-256 encryption, access control, de-identification |
| Aged Care Quality Standards | Standard 5 - clinical documentation | AI quality gate, mandatory validation, approval workflow |
| SIRS (Serious Incident Response) | Incident reporting obligations | Incident module with structured capture and export |
| ASD Essential Eight | Maturity Level 2 (target) | MFA (#7), privileged access (#5), patching via ECS rolling deploy (#2, #6) |
For security assessments, IRAP evaluation support, or responsible disclosure, contact our security team.
security@notegate.com.auNo credit card required for Solo and Starter plans.