Security at PratixBI

PratixBI is hosted entirely on Amazon Web Services (AWS) in the ap-southeast-2 (Sydney) region. All customer data — including practice performance metrics, user accounts, and application data — remains within Australia at all times.

We use a multi-availability-zone architecture to ensure high availability and resilience. Our infrastructure is designed to achieve 99.9% uptime and is backed by automated failover and disaster recovery procedures.

Automated daily backups are retained for 30 days. Point-in-time recovery is available for databases. Backups are encrypted using the same AES-256 standard as primary data.

Role-based access (RBAC) is enforced throughout the platform. Practice owners control which staff members can access which data. Each user only sees the KPIs relevant to their role — clinical staff cannot access financial data they are not authorised to view.

Multi-factor authentication (MFA) is available for all user accounts and is required for all administrative and infrastructure access. We enforce MFA for all PratixBI team members with access to production systems.

Least-privilege access is applied to all internal systems. PratixBI engineers do not have standing access to production databases. Privileged access is granted on-demand, time-limited, and logged.

Audit logs are maintained for all authentication events, data access, and administrative actions within the platform. Logs are tamper-evident and retained for a minimum of 12 months.

Our production environment is isolated within a private Virtual Private Cloud (VPC) with strict network access control lists (ACLs) and security groups. Only the necessary ports and services are exposed to the internet.

All traffic passes through AWS WAF (Web Application Firewall) and AWS Shield for DDoS protection. Rate limiting is enforced on all public-facing APIs.

Outbound traffic from our infrastructure to PMS APIs uses static IP addresses, which practices can whitelist for additional security.

We conduct annual penetration tests using independent third-party security firms. Findings are triaged, prioritised, and remediated with documented timelines.

Continuous automated vulnerability scanning is run against our infrastructure and application dependencies. Critical vulnerabilities are patched within 24 hours of identification.

Our development processes include mandatory code review, static analysis (SAST), and dependency scanning on every pull request. We follow OWASP secure development guidelines.

PratixBI maintains a documented incident response plan that is reviewed and tested annually. Our security team is on call to detect, contain, and remediate security incidents.

In the event of a data breach involving personal information, we will:

1. Contain and assess the incident within 24 hours of detection
2. Notify affected customers as soon as practicable
3. Notify the Office of the Australian Information Commissioner (OAIC) where required under the Notifiable Data Breaches (NDB) scheme
4. Provide a full post-incident report to affected parties within 30 days

Our security team can be reached directly at security@pratixbi.com.

Each practice's data is logically isolated. Practice A cannot access the data of Practice B. Isolation is enforced at the application layer and verified through regular automated tests.

PratixBI staff do not access customer practice data except where required to provide support, and only with the customer's consent. All such access is logged.

We do not use your practice data to train models, benchmark competitors, or share insights with other customers. Your data is yours.