All data encrypted at rest (AES-256) and in transit (TLS 1.2+). Database, S3 storage, and secrets all encrypted with AWS KMS.
Database and application servers in private network subnets with no direct internet access. All cloud service calls route through private endpoints.
Participant identifiers tokenised by DeIDProxy before any AI API call. Raw identifiers never leave Australian infrastructure.
Every supervisor override and AI transmission logged immutably. Access logs retained 90 days. AI transmission metadata retained 3 years.
Infrastructure security
NoteGate is hosted exclusively on AWS ap-southeast-2 (Sydney). The following controls are active across all production infrastructure.
Application security
- Token-based authentication — all API requests require a signed authentication token with 24-hour expiry
- Role-based access control — support workers can only access participants to whom they are explicitly assigned
- Tenant isolation — all database queries are scoped by tenant ID; cross-tenant data access is architecturally impossible
- Rate limiting — API rate limits enforced per IP. Login endpoint limited to 10 attempts per 15 minutes.
- Input validation — all API inputs validated with schema validation before processing
- Security headers — Standard security headers enforced on all responses (X-Frame-Options, X-Content-Type-Options, etc.)
- CORS policy — cross-origin requests restricted to *.notegate.com.au subdomains only
- Stripe webhook verification — all Stripe webhooks verified using cryptographic signature before processing
- Password hashing — Industry-standard adaptive hashing. Passwords never stored in plain text.
- Supervisor override logging — every override of a failed validation is logged with the reviewer's identity, timestamp, and written justification
AI security
The Anthropic Claude API is used for note validation. The following controls are specific to AI security:
- DeIDProxy tokenisation — participant name, NDIS number, and care identifiers replaced with secure tokens before transmission. Raw identifiers stored only in Australia.
- Zero Data Retention agreement — Anthropic contractually prohibited from storing or retaining API request content after call completion
- AI training non-use — no NoteGate data used for model training, fine-tuning, or evaluation under ZDR agreement
- Structured output enforcement — AI responses validated as JSON before use; free-form text responses rejected
- Transmission logging — every AI call logged with metadata (token counts, latency, de-identification applied, ZDR active). No content stored.
- Prompt injection resistance — system prompt and participant rules are system-controlled; worker narrative input is treated as untrusted data
Notifiable Data Breaches
NoteGate is subject to the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth). In the event of an eligible data breach:
- We will assess the breach within 30 days of becoming aware
- Affected organisations will be notified as soon as practicable
- We will notify the Office of the Australian Information Commissioner (OAIC) as required
- We will take remediation steps and provide a written summary of actions taken
Vulnerability disclosure
If you discover a security vulnerability in NoteGate, please report it responsibly:
- Email: security@notegate.com.au
- Include a description of the vulnerability, steps to reproduce, and potential impact
- Do not access, modify, or delete data belonging to other organisations
- We will acknowledge receipt within 48 hours and provide a resolution timeline
We do not currently operate a bug bounty programme but we recognise responsible disclosure and will acknowledge contributors where appropriate.
Security enquiries
For security questions, vulnerability reports, or incident notifications:
security@notegate.com.au
AgenticX Australia · ABN: 27 680 398 305
Queensland, Australia
For urgent security incidents affecting participant data, include "URGENT" in the subject line. We monitor this address 7 days a week.