***

title: Security & Governance
subtitle: How RebateRight protects your data and ensures compliance with Australian healthcare regulations
slug: governance
---------------------

For clean Markdown of any page, append .md to the page URL. For a complete documentation index, see https://docs.rebateright.com.au/llms.txt. For full documentation content, see https://docs.rebateright.com.au/llms-full.txt.

<CardGroup cols={3}>
  <Card title="Zero Data Persistence" icon="database">
    Patient data is never stored. Every request is processed in real time and immediately discarded.
  </Card>

  <Card title="Australian Data Sovereignty" icon="flag">
    Your data never leaves Australia. All infrastructure runs within Microsoft Azure's Australia East region.
  </Card>

  <Card title="Your Keys, Your Control" icon="key">
    RebateRight never stores, accesses, or manages your API credentials.
  </Card>
</CardGroup>

***

## Zero Data Persistence Architecture

**Real-time processing only** — Patient data flows through our system without ever being stored. Each request is processed immediately and discarded, ensuring no sensitive information remains in our infrastructure.

**Stateless serverless design** — Every request is handled independently with no session persistence. Once your request is complete, no trace of the transaction remains in our systems.

***

## Australian Data Sovereignty & Compliance

**Complete geographic containment** — Your data never crosses Australian borders. Our entire infrastructure operates within Microsoft Azure's Australia East region, ensuring data sovereignty from ingestion to response.

**Government-grade security** — Microsoft Azure has completed an IRAP (Information Security Registered Assessors Program) assessment for Australian government data processing, supporting workloads up to and including the PROTECTED classification level in Australian regions.

**Enterprise compliance framework** — Azure provides compliance with ISO 27001, SOC 2, HIPAA, GDPR, and numerous other global security standards.

<Note>
  For more information on Microsoft Azure's compliance certifications, see [Microsoft Azure Compliance](https://learn.microsoft.com/en-us/azure/compliance/).
</Note>

***

## Your Keys, Your Control

**Client-managed authentication** — RebateRight never stores, accesses, or manages your API credentials. You maintain complete control over your authentication tokens.

***

## Enterprise-Grade Infrastructure

**Azure reliability** — Leveraging Microsoft Azure's enterprise infrastructure ensures high availability, automatic scaling during peak periods, and built-in redundancy across multiple availability zones.

**Security by design** — Every component follows security best practices including:

* TLS 1.2/1.3 encrypted transit
* Minimal attack surface
* Secure development lifecycle with vulnerability scanning
* Continuous monitoring for threats

**Government-standard integration** — Communications with Services Australia, including Medicare, use PRODA (Provider Digital Access) — Services Australia's secure authentication mechanism.

***

## Usage Data We Store

To keep billing accurate and provide you with usage insights, RebateRight stores a minimal set of operational metadata about requests.

<Note>
  This metadata **never includes personally identifiable information (PII)**, patient details, or provider information. It is retained solely for billing and reporting purposes.
</Note>

Examples of metadata stored:

* Total number of times RebateRight endpoints were used
* Which API endpoints were called
* Which MBS item numbers were requested
* The outcome of the operation (e.g., eligible or not eligible)