Skip to main content
Open Book Clinical/Governance/Research/Vendor Security Questionnaire
IT Security

Vendor Security Questionnaire

Pre-filled responses to the standard IT security questionnaire issued by university and hospital IT departments when assessing third-party software vendors. Completed by OpenBook Clinical Pty Ltd (ABN 38 698 494 656).

Completed: 1 July 2025Completed by: OpenBook Clinical Security TeamContact: openbookclinical@gmail.com

Save as PDF: Print this page (Ctrl+P / Cmd+P) and select “Save as PDF” to generate a document suitable for your institutional records or IT department submission.

1. Company & Product

Q: What is the product and what does it do?

A: OpenBook Clinical is a web-based clinical decision support (CDS) tool for AHPRA-registered allied health professionals. It provides AI-assisted retrieval and synthesis of peer-reviewed clinical evidence to support evidence-based practice. It is not a medical device (SaMD) and does not diagnose, treat, or prescribe — all clinical decisions remain with the practitioner.

Q: Who operates the product?

A: OpenBook Clinical Pty Ltd (ABN 38 698 494 656), a company registered in New South Wales, Australia. Contact: openbookclinical@gmail.com

Q: Where is data processed?

A: Primary database and authentication: Australia (Supabase, AWS ap-southeast-2, Sydney). Application hosting: Global CDN (Vercel). AI query processing: United States (Anthropic API) under a zero-data-retention agreement — query text is processed and immediately discarded; no data is retained by Anthropic.

Q: Is this a SaaS product?

A: Yes. OpenBook Clinical is delivered as a Software-as-a-Service, accessed via web browser at openbookclinical.com.au. No software installation is required. A mobile-responsive web interface is available; there is no native mobile app at this time.

Q: Is the product intended for clinical use by patients?

A: No. The product is intended solely for use by AHPRA-registered allied health clinicians and researchers. Patients do not use or interact with the platform. The platform assists clinicians in locating and evaluating clinical evidence; it does not provide advice directly to patients.

2. Data Classification

Q: Does the system store patient data?

A: No. The product is explicitly designed to prevent patient data from being entered. There are no patient-record fields, patient-name fields, or clinical-note fields in the user interface. Platform terms of service prohibit users from entering patient-identifiable information. Real-time technical controls detect Australian PII patterns (e.g. Medicare numbers, names + DOBs) and warn users if such patterns are detected in a search query.

Q: What personal data is stored?

A: Clinician account information (name, email address, AHPRA profession, subscription tier); search query text submitted by the clinician; CPD activity logs and reflections; usage metadata (timestamps, session data). No patient records, patient names, dates of birth, Medicare numbers, or clinical notes are stored.

Q: Is the data de-identified?

A: Clinician search queries are associated with the clinician's account but are not linked to any patient. There is no mechanism by which a query could be linked to a patient record, as the platform does not accept patient identifiers. Aggregate usage analytics are de-identified.

Q: What is the data classification of information processed?

A: PROTECTED (clinician account information, search history). No SENSITIVE or TOP SECRET data is processed. Patient health information is not processed.

Q: Does the platform use data for AI model training?

A: No. OpenBook Clinical operates under a zero-data-retention agreement with Anthropic. Query text is transmitted to the Anthropic API for processing and is not retained, used for training, or stored on Anthropic systems. OpenBook Clinical does not train its own AI models on user data.

3. Security Controls

Q: Encryption in transit?

A: TLS 1.3 minimum is enforced on all connections to openbookclinical.com.au. This is enforced at the Vercel CDN layer. HSTS headers are set with a minimum max-age of 1 year. All API calls to sub-processors (Supabase, Anthropic, Stripe) are encrypted in transit.

Q: Encryption at rest?

A: AES-256 encryption is applied to all data at rest in the Supabase database (hosted on AWS ap-southeast-2). Database backups are encrypted. Application secrets (API keys, database credentials) are stored in encrypted environment variables and are never committed to source code.

Q: What access controls are in place?

A: Row-Level Security (RLS) policies are enforced at the database layer — no user can access another user's data. Authentication is JWT-based (Supabase Auth). Multi-factor authentication (MFA) is available to all users. Administrative access to production infrastructure is restricted to authorised personnel and requires MFA.

Q: Has a penetration test been conducted?

A: An independent penetration test is scheduled for 2025. A self-assessed Essential Eight maturity assessment is published at /security/essential-eight. We will share penetration test results under NDA upon request from qualified institutional assessors; contact openbookclinical@gmail.com.

Q: Is there a vulnerability disclosure policy?

A: Yes. A responsible disclosure policy is published at /security/vulnerability-disclosure. We acknowledge security reports within 24 hours and aim to provide an initial assessment within 72 hours.

Q: What logging and monitoring is in place?

A: Application and infrastructure logs are retained for 30 days (Vercel). Database audit logs are enabled. Anomalous authentication events trigger alerts. We do not currently have a 24/7 SOC; monitoring is reviewed on a daily cycle.

Q: What is the patch management approach?

A: Dependency updates and security patches are applied on a regular cycle (weekly automated dependency checks via Dependabot; critical security patches applied within 48 hours of disclosure). The Next.js application framework and Supabase infrastructure are updated regularly.

4. Compliance

Q: Is the product compliant with the Australian Privacy Act 1988 (Cth)?

A: Yes. OpenBook Clinical Pty Ltd is an APP entity subject to the Privacy Act 1988 (Cth). A full Australian Privacy Principles (APP) compliance matrix is published at /privacy/app-compliance. Our Privacy Policy is published at /privacy.

Q: Is the product subject to the Notifiable Data Breaches (NDB) scheme?

A: Yes. OpenBook Clinical is subject to the NDB scheme (Part IIIC, Privacy Act 1988). We maintain an incident response plan. In the event of an eligible data breach, we notify the OAIC and affected individuals within 30 days of becoming aware of the breach.

Q: Is the product compliant with GDPR?

A: OpenBook Clinical serves Australian users only and does not intentionally market to individuals in the European Economic Area. GDPR does not currently apply. If your institution has GDPR obligations, please contact us to discuss.

Q: Is the product classified as a medical device (SaMD) under the TGA?

A: No. OpenBook Clinical is a clinical decision support tool that retrieves and synthesises published literature to assist practitioner decision-making. It does not diagnose, treat, prescribe, or replace professional clinical judgment. Based on TGA guidance on clinical decision support software, the platform does not meet the definition of a medical device. A detailed classification rationale is available on request.

Q: Does the product have IRAP assessment?

A: No IRAP assessment has been conducted at this time. We are assessing the feasibility of IRAP assessment for the 2025–26 financial year. For institutions that require IRAP, please contact openbookclinical@gmail.com to discuss a pathway.

Q: What is the governing law?

A: New South Wales, Australia. All contracts are governed by New South Wales law.

5. Sub-processors

Q: Please list all sub-processors and their locations.

A: A full register is published at /governance/sub-processors. Key sub-processors:
  • Supabase Inc. — Database and authentication. Data location: Australia (AWS ap-southeast-2, Sydney). Certification: SOC 2 Type II.
  • Anthropic PBC — AI query processing (Claude API). Data location: United States. Zero-data-retention. Certification: SOC 2 Type II.
  • Vercel Inc. — Web hosting and CDN. Data location: Global (primary US). Certification: SOC 2 Type II.
  • Stripe Inc. — Payment processing. Data location: United States. Certification: PCI DSS Level 1.
  • Postmark (ActiveCampaign) — Transactional email. Data location: United States. Certification: SOC 2 Type II.

Q: How are sub-processor changes notified?

A: Customers receive 30 days' notice prior to any addition or replacement of sub-processors, by email and via an update to the sub-processor register. DPA customers may object to a proposed change in writing; unresolved objections entitle the customer to terminate without penalty.

6. Business Continuity

Q: What is the Recovery Time Objective (RTO)?

A: Target RTO: 4 hours for critical outages affecting platform availability. This is supported by Vercel's global CDN infrastructure (99.99% SLA) and Supabase's managed database service (99.9% uptime SLA). Platform uptime is monitored continuously.

Q: What is the Recovery Point Objective (RPO)?

A: Target RPO: 24 hours. Supabase automated daily backups with point-in-time recovery (PITR) are enabled. Backups are stored in encrypted form in a separate AWS availability zone.

Q: What happens to data if OpenBook Clinical ceases operation?

A: In the event OpenBook Clinical ceases operation, we will provide customers with a minimum of 90 days' notice and a data export in CSV or JSON format. Account data deletion will be processed within 60 days of the cessation date. This obligation is documented in our standard Data Processing Agreement.

Q: Is there a disaster recovery plan?

A: Yes. The disaster recovery plan covers platform restoration, database recovery, and communication to affected customers. It is reviewed annually. A summary is available to institutional customers on request.

OpenBook Clinical Pty Ltd · ABN 38 698 494 656 · Sydney, NSW, Australia