Heron is built to handle sensitive patient communications. Security, privacy, and compliance are foundational to everything we do.
Heron handles sensitive healthcare communications on behalf of clinics across Australia and New Zealand. We take a defence-in-depth approach to security — applying controls at the application, infrastructure, and organisational levels to protect the confidentiality, integrity, and availability of patient communications.
Heron Health Limited maintains a comprehensive set of security policies and procedures aligned to the SOC 2 Trust Service Criteria, covering everything from encryption and access control to incident response and business continuity.
All data is encrypted at rest using Google Cloud KMS and in transit via TLS 1.2+ across all services.
Role-based access with mandatory MFA via SSO.
Centralised logging with audit trails retained for one year. Authentication events, privilege changes, and data access are continuously monitored.
Documented response plan with severity-based classification (SEV-1 to SEV-4), tested annually.
Background checks for all hires, annual security awareness training, signed confidentiality agreements, and system access revoked within 24 hours of offboarding.
Documented DR and BCP with RTO of 24 hours and RPO under 24 hours. Annual disaster recovery testing with validated restore procedures.
Heron's compliance programme is aligned to industry-recognised frameworks and independently audited.
Independent examination covering the Common Criteria (CC1–CC9) for the Security Trust Service Category.
Compliant with the Australian Privacy Principles (APPs) governing the handling of personal information.
Compliant with New Zealand's privacy framework and the Health Information Privacy Code 2020 governing collection, use, and disclosure of personal and health information.
Patient communications are at the core of what we handle. Here's how we keep them safe.
Data encrypted at rest using Google Cloud KMS with managed encryption keys. All data in transit protected via TLS 1.2+ with server-side encryption on cloud storage.
All patient communications are hosted on Google Cloud Platform infrastructure. Heron's cloud provider maintains SOC 2 Type II, ISO 27001, ISO 27017, and ISO 27018 certifications.
Patient communications are never used to train third-party AI models. All AI/ML providers are assessed via vendor risk assessment with contractual data protection obligations. Data minimisation principles are applied to all AI processing.
Three-tier data classification framework — Restricted, Internal, and Public — ensuring appropriate handling, access controls, and protection for patient health information and sensitive data.
Defined retention schedules with automated lifecycle enforcement. Customer data deleted within 90 days of contract termination. Disposal procedures aligned with NIST 800-88 standards.
A maintained list of sub-processors is available upon request. Contact us.
Enterprise-grade infrastructure with defence-in-depth security controls.
Hosted on Google Cloud Platform using managed serverless services. GCP maintains SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and PCI DSS certifications.
No directly exposed servers — all ingress via managed services. GCP-managed firewall and routing, DDoS protection, and annual penetration testing by independent third parties.
Documented hardening standards for endpoints and cloud infrastructure. Full-disk encryption required on all devices, mandatory MFA, TLS 1.2+ enforced, and no hardcoded secrets.
Continuous automated dependency scanning with defined remediation SLAs — Critical: 48 hours, High: 7 days. Weekly automated scanning complemented by static code analysis on all pull requests.
Daily automated backups with 30–90 day retention and lifecycle-managed expiry. Restore procedures tested annually with validated recovery in under 2 hours against a 24-hour RTO target.
Documented DR and BCP with RTO of 24 hours and RPO under 24 hours. Annual testing includes tabletop exercises and functional restore-from-backup validation. Distributed workforce model ensures operational resilience.
Heron maintains a comprehensive library of security policies and compliance documents.
How Heron handles personal information under the Australian Privacy Principles.
How Heron handles personal information under the NZ Privacy Act 2020.
Heron's terms of service governing use of the platform.
Independent examination report covering Common Criteria CC1–CC9.
Standard DPA template for customers requiring formal data processing terms.
Summary of independent penetration testing scope, cadence, and approach.
List of third-party vendors and sub-processors with classification and data access levels.