NoteWriter AI
Security & privacy

Compliance is the product

NoteWriter AI was built for the realities of handling NDIS participant data in Australia. Protecting sensitive information isn't an add-on — it's the core design.

De-identification before AI processing

Direct identifiers (participant and worker names, NDIS numbers) are stripped from your input before the note is generated, then restored locally on our Australian servers. Identifiable data is never sent to the language model.

Australian data residency

Your participants, goals and note history are stored in an Australian region (Sydney). Production AI inference is also AU-hosted, supporting your APP 8 cross-border disclosure obligations for sensitive information.

Encryption in transit and at rest

All traffic is encrypted with TLS. Note bodies are additionally encrypted at the application layer with AES-256-GCM before they are written to the database, so the most sensitive content is protected with defence-in-depth.

Per-organisation isolation

Every record is scoped to your organisation and enforced by database Row Level Security. One organisation can never read another's participants, goals or notes — the database rejects it, not just the app.

Human-in-the-loop by design

NoteWriter AI drafts; your qualified worker reviews and approves every note before it is filed. This keeps the product an administrative aid, outside the scope of a regulated medical device.

Least-privilege access

Staff access is role-based (owner / member). Administrative database keys are server-only and never exposed to the browser. Sign-in is passwordless email magic-link.

How a note is processed

  1. 1You speak or type a few observations and select the participant's plan goal.
  2. 2Direct identifiers are removed from the input on our Australian server.
  3. 3The de-identified text is sent to an Australian-hosted AI model to draft the note.
  4. 4Real names are restored locally — they were never sent to the model.
  5. 5The note body is encrypted (AES-256-GCM) and stored in your organisation's Australian database.
  6. 6Your worker reviews, edits if needed, and approves the note before filing.

Regulatory alignment

  • Privacy Act 1988 & the Australian Privacy Principles (APPs) — including APP 8 (cross-border) and APP 11 (security of personal information).
  • Handling of disability and health information as 'sensitive information' under the Act.
  • Alignment with NDIS Practice Standards expectations for goal-linked, audit-ready progress records.

This page describes our security and privacy approach in plain language; it is not legal advice. For a Data Processing Agreement, security questionnaire or detailed architecture review, get in touch.

See pricing