Security

Our Commitment

MIA processes sensitive clinical information. We take this responsibility seriously. Our security architecture is designed from the ground up for healthcare-grade data protection, with multiple layers of safeguards to ensure the confidentiality, integrity, and availability of all data.

Security Governance

Security at UNCAPT is owned at the executive level. Our security governance structure includes:

• Security Lead: A designated member of the leadership team is responsible for the information security management system (ISMS), risk assessments, and compliance
• Security-aware culture: All team members complete security awareness training and are responsible for reporting incidents and potential vulnerabilities
• Risk management: We maintain a security risk register that is reviewed regularly, with risks assessed against likelihood and impact to clinical data
• Third-party assessments: We engage external parties for periodic security reviews and penetration testing

Infrastructure

Physical Security

MIA's infrastructure is hosted entirely on Microsoft Azure. Physical security of data centres is managed by Microsoft and includes:

• 24/7 security personnel, CCTV, and biometric access controls at all data centre facilities
• Multi-layered physical access controls with visitor logging and escort requirements
• Environmental controls (fire suppression, climate control, redundant power)
• Secure media destruction and decommissioning procedures

UNCAPT does not operate its own physical data centres. Azure Australia East data centres are certified to ISO 27001, SOC 1/2/3, and comply with the Australian Government's IRAP (Information Security Registered Assessors Program) requirements. For full details, see Microsoft's compliance documentation.

Access Control

Authentication & Authorisation

• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication (MFA) required for all administrative access
• Separate environments for development, staging, and production
• Time-limited access tokens with automatic rotation

Audit & Monitoring

• Comprehensive audit logging of all system access and data operations
• Real-time monitoring and alerting for anomalous activity
• Immutable audit trails retained for compliance review
• Regular access reviews and privilege audits

Application Security

• Secure development lifecycle: Security-by-design principles integrated into every stage of development
• Dependency management: Automated scanning for vulnerabilities in third-party dependencies
• Input validation: Strict input sanitisation and validation to prevent injection attacks
• Output safety: MIA includes safety guardrails and crisis detection to ensure clinically safe outputs
• Code review: All code changes undergo peer review before deployment

Malware Protection

• Endpoint protection: All development and administrative endpoints run up-to-date anti-malware software with real-time scanning enabled
• Cloud workloads: Azure Defender (Microsoft Defender for Cloud) is enabled for threat detection across our cloud infrastructure, including container and storage scanning
• Email security: Inbound email is filtered for malicious attachments and phishing attempts
• API security: All API inputs are validated and sanitised to prevent injection of malicious payloads

Patch and Update Management

• Critical patches: Security patches rated critical or high are assessed and applied within 14 days of release
• Operating systems: We use managed and containerised services where patching is handled by the cloud provider (Azure), reducing our patch surface
• Application dependencies: Automated dependency scanning identifies vulnerable libraries, with alerts triaged daily
• Firmware and infrastructure: Azure manages firmware and hypervisor updates for all underlying infrastructure
• End-of-life software: We do not run software that is past its vendor-supported end-of-life date in production environments

Data Protection

Clinical Data

Clinical data processed by MIA is handled with the highest level of care:

• Data minimisation — we only process what is necessary for the clinical task
• Purpose limitation — data is used only for the purposes agreed with the deploying healthcare provider
• De-identification — where possible, data is de-identified before processing
• Retention limits — clinical data is retained only for the duration required by the deploying provider's agreement

Research Data

Data collected as part of university research programs is managed under the governance of the University of Sydney's Human Research Ethics Committee, with separate data management plans and consent processes.

Compliance Framework

• ISO 27001: Information security management practices aligned with ISO 27001 standards
• Australian Privacy Principles (APPs): Full compliance with the Privacy Act 1988 (Cth) and the 13 APPs
• Cyber Essentials: Certified under the Cyber Essentials scheme for baseline security controls
• Health Records Act: Compliance with applicable state and territory health records legislation

Incident Response

We maintain a documented incident response plan that includes:

• 24-hour initial response time for security incidents
• Defined escalation procedures and severity classification
• Notification of affected parties and regulators as required by the Notifiable Data Breaches scheme
• Post-incident review and remediation

Responsible AI

MIA is a clinical decision-support system, not an autonomous agent. We design and operate MIA in accordance with the following principles:

Human Oversight

• All clinical outputs require review and approval by a qualified health professional before being acted upon
• MIA is designed to surface reasoning and evidence so clinicians can make informed decisions
• Clinicians can override, edit, or reject any MIA output at any time

Transparency and Explainability

• MIA's recommendations include the reasoning pathway — clinicians can see why a suggestion was made
• We publish information about MIA's clinical knowledge base, its development with the Brain and Mind Centre, and its validation process
• We are open about MIA's limitations and the boundaries of its clinical applicability

Continuous Expert Validation

• MIA's clinical reasoning is developed in partnership with researchers at the University of Sydney's Brain and Mind Centre
• Clinical experts continuously review, refine, and validate MIA's anonymised reasoning outputs
• We maintain expert feedback loops to ensure MIA's knowledge stays current with best clinical practice

Bias and Fairness

• MIA's clinical frameworks are grounded in published, peer-reviewed research
• We are committed to identifying and mitigating potential biases in MIA's outputs
• Our expert validation process includes review for cultural sensitivity and equitable care recommendations

Data Practices

• We do not use identifiable patient data to train AI models
• Clinical data is not shared with or sent to third-party AI services for model training
• We retain only anonymised reasoning outputs for quality improvement — see our Privacy Policy (Section 5) for full details

Safety

• MIA includes safety guardrails and crisis detection — if indicators of immediate risk are detected, MIA escalates appropriately
• MIA will not provide advice in situations beyond its designed clinical scope
• We maintain a clinical safety incident register and review process

Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to security@uncapt.com. We ask that you:

• Provide sufficient detail for us to reproduce and address the issue
• Allow reasonable time for us to investigate and remediate before public disclosure
• Do not access, modify, or delete data belonging to other users

Contact

For security questions or to request our detailed security documentation:

UNCAPT Pty Ltd
Email: security@uncapt.com
ABN: 15 641 190 552