Carelyt
Security

Health data that never leaves Australia.

Carelyt holds information regulated by the Australian Privacy Principles. Here is how we protect it, in plain language, without the certifications theatre.

Sydney
Data hosted in ap-southeast-2, on AU soil
Encrypted
In transit and at rest, every byte
HIPAA-ready
ISO 27001 in progress
No lock-in
CSV export any time you ask
How it is protected

Six things that hold the line.

No jargon, no badges you cannot verify. Just the controls that keep your clients safe.

Stays in Australia.

Your client data lives in our Sydney region and does not leave AU soil for routine work. Pages load fast worldwide, but the database stays put.

Fenced off per team.

Every team is isolated in the database itself, not just the app. A bug in our code still cannot let one team see another. We test it with two-team fixtures on every change.

Encrypted end to end.

Everything you type travels over a secure connection and rests encrypted on disk. Sensitive keys stay on the server and never reach the browser.

Sign in your way.

Email and password by default, plus magic links and multi-factor when you want them. Admins can trigger a teammate reset in two clicks.

Recover to the minute.

Daily backups with point-in-time recovery for the last seven days. If something breaks on our side, we roll back to any minute that week and tell you we did.

Every action logged.

Sign-ins, role changes and removed teammates are recorded with who, what and when. Super-admins can review the trail from the dashboard.

Your data is yours. Take it any time.

CSV in on day one, CSV out whenever you ask. No export fee, no waiting period, no lock-in. Cancel any month and we hand back everything we hold.

Questions to ask any vendor

The checklist we would hand a sceptical IT manager.

We have put our answers next to each one. If you are vetting another vendor, hold them to the same standard.

Sydney, in the ap-southeast-2 region. Australia, full stop. Your client information does not leave AU soil for routine operations.

Postgres row-level security in the database, not just application code. Each team is fenced off so a bug in our code still cannot leak another team’s clients.

No one in the browser. They live in server-only environment variables and never reach any code we ship to the public.

Daily backups, with point-in-time recovery for the last seven days.

No. Their session is revoked the moment they are removed from the team.

Any time. CSV in, CSV out. Leave any month and we will hand over everything, no lock-in.

No. We use operational sub-processors only: Stripe for billing, Resend for email and Mapbox for the map.

A breach of client information is notifiable under the Australian Privacy Act. If client data was likely accessed, we contact your super-admin within 72 hours with a plain-language account of what happened, what we know and what we are doing.

Talk to us

Real answers to security questions.

Vetting Carelyt for a clinical environment and need more than this page covers? Write us a line. You get a real person, not a sales script.