Carelyt stores information regulated by the Australian Privacy Principles. The page below describes how the platform is built to protect it — in plain language, without certifications theatre.
Your data lives in Australia. We host on Supabase's Sydney region, which means your client information does not leave Australian soil for routine operations. The pages you see are served from a global network so the site loads fast wherever you are, but the database holding your information stays in Sydney.
Each team's information is fenced off in the database itself, not just by the app. So even a bug in our code cannot let one team see another team's clients. We test this with two-team fixtures every time we touch a feature.
Anything you type into Carelyt is sent over a secure connection and stored encrypted on disk. Sensitive keys live on the server only — they never reach the browser, and they never touch any code we ship to the public.
Email + password by default, with magic links and multi-factor authentication available when you want them. If a teammate forgets their password, an admin can trigger a reset from the team page in two clicks.
Daily backups, with point-in-time recovery for the last week. If something goes wrong on our side, we can roll the database back to any minute in the previous seven days — and we'll tell you if we do.
Sign-ins, role changes, removed teammates, and team setting changes are recorded with who did what and when. Super-admins can review the trail straight from the dashboard.
A breach of client information is a notifiable event under the Australian Privacy Act. Our incident process is built around honesty and speed.
Database, application, and infrastructure logs are monitored. Failed auth attempts, unusual queries, and out-of-band activity raise alerts to the team.
Affected sessions, keys, or accounts are revoked immediately. We assume the worst case until we have evidence otherwise.
If client information was likely accessed, we contact your super-admin within 72 hours with a plain-language description of what happened, what we know, what we don't, and what we're doing.
We fix the underlying cause, write up the post-mortem, and share what changed so the same shape of issue cannot happen again.
We’ve put our answers next to each one. If you’re vetting another vendor, hold them to the same standard.
Sydney (ap-southeast-2). Australia, full stop.
Postgres row-level security, not just app code.
No one in the browser. They live in server-only env vars.
Daily, with point-in-time recovery for the last 7 days.
No. Their session is revoked the moment they're removed.
No. Operational sub-processors only — Stripe for billing, Resend for email, Mapbox for the map.
If you’re vetting Carelyt for a clinical environment and need more detail than this page covers, write us a line. You’ll get a real person, not a sales script.
hello@carelyt.com.au
