Guides

Security & Governance

How RebateRight protects your data and ensures compliance with Australian healthcare regulations
View as Markdown
Zero Data Persistence

Patient data is never stored. Every request is processed in real time and immediately discarded.

Australian Data Sovereignty

Your data never leaves Australia. All infrastructure runs within Microsoft Azure’s Australia East region.

Your Keys, Your Control

RebateRight never stores, accesses, or manages your API credentials.

Zero Data Persistence Architecture

Real-time processing only — Patient data flows through our system without ever being stored. Each request is processed immediately and discarded, ensuring no sensitive information remains in our infrastructure.

Stateless serverless design — Every request is handled independently with no session persistence. Once your request is complete, no trace of the transaction remains in our systems.

Australian Data Sovereignty & Compliance

Complete geographic containment — Your data never crosses Australian borders. Our entire infrastructure operates within Microsoft Azure’s Australia East region, ensuring data sovereignty from ingestion to response.

Government-grade security — Microsoft Azure has completed an IRAP (Information Security Registered Assessors Program) assessment for Australian government data processing, supporting workloads up to and including the PROTECTED classification level in Australian regions.

Enterprise compliance framework — Azure provides compliance with ISO 27001, SOC 2, HIPAA, GDPR, and numerous other global security standards.

For more information on Microsoft Azure’s compliance certifications, see Microsoft Azure Compliance.

Your Keys, Your Control

Client-managed authentication — RebateRight never stores, accesses, or manages your API credentials. You maintain complete control over your authentication tokens.

Enterprise-Grade Infrastructure

Azure reliability — Leveraging Microsoft Azure’s enterprise infrastructure ensures high availability, automatic scaling during peak periods, and built-in redundancy across multiple availability zones.

Security by design — Every component follows security best practices including:

  • TLS 1.2/1.3 encrypted transit
  • Minimal attack surface
  • Secure development lifecycle with vulnerability scanning
  • Continuous monitoring for threats

Government-standard integration — Communications with Services Australia, including Medicare, use PRODA (Provider Digital Access) — Services Australia’s secure authentication mechanism.

Usage Data We Store

To keep billing accurate and provide you with usage insights, RebateRight stores a minimal set of operational metadata about requests.

This metadata never includes personally identifiable information (PII), patient details, or provider information. It is retained solely for billing and reporting purposes.

Examples of metadata stored:

  • Total number of times RebateRight endpoints were used
  • Which API endpoints were called
  • Which MBS item numbers were requested
  • The outcome of the operation (e.g., eligible or not eligible)