Independently Verified
Security Architecture

Our security isn't just a claim — it's independently verified by multiple third-party security assessments and backed by 50+ documented security controls. Your patient data is protected by enterprise-grade, audited security infrastructure.

Independently Audited • Zero Breaches • Australian Data Residency

Independent Security Verification

Don't take our word for it. Our security is continuously verified by independent, third-party security scanners. Click any badge to verify our results in real time.

A+

SSL Labs

TLS/SSL encryption rated by Qualys — the industry gold standard

  • TLS 1.3 encryption
  • Perfect forward secrecy
  • HSTS preload enabled
  • Assessed Feb 2026
Verify live
A

ImmuniWeb

Comprehensive website security, GDPR & PCI DSS compliance scan

  • Web application security
  • GDPR compliance check
  • PCI DSS compliance
  • Certificate issued
Verify live
A

Security Headers

HTTP security headers analysis by Snyk — all critical headers present

  • Content Security Policy
  • HSTS with preload
  • X-Frame-Options: DENY
  • Permissions Policy
Verify live
B+

Mozilla Observatory

Mozilla Foundation HTTP security assessment — 80/100 score

  • 9 of 10 tests passed
  • CORS properly configured
  • Referrer policy set
  • Transport security strong
Verify live
Clean

Dark Web Monitoring

ImmuniWeb dark web exposure scan — zero compromised credentials found

  • 0 compromised credentials
  • 0 dark web mentions
  • 0 phishing campaigns
  • Scanned Feb 2026
Verify live
Pass

Email Server Security

ImmuniWeb email security test — SPF configured, server hardened, not blacklisted

  • SPF record configured
  • No open relay detected
  • Not on any blacklists
  • DKIM & DMARC active
Verify live

ImmuniWeb Security Certificate

ImmuniWeb Website Security Test - Grade A

Click to view our full public security report

Google Cloud Certified Infrastructure

Patient data is hosted exclusively on Google Cloud in Australia (Sydney region). Google Cloud maintains:

ISO/IEC 27001
SOC 1, 2, & 3
PCI DSS
ISO/IEC 27017
ISO/IEC 27018
IRAP Protected
Verify Google Cloud compliance
50+
Security Controls
6
Independent Audits
7yr
Audit Log Retention
0
Known Breaches
A+
Encryption Grade
24/7
Automated Monitoring

Multi-Layer Database Protection

Your patient data is protected by four independent security layers. Each layer must be breached for unauthorized access - failure at any layer blocks the entire attack.

Layer 1

Authentication Gateway

  • JWT token validation through Supabase authentication
  • Multi-factor authentication required
  • Session expiration and token refresh controls
Layer 2

API Security Layer

  • Cloud Run application validates all requests
  • Rate limiting and input validation
  • Business logic authorization before any database queries
Layer 3

Network Isolation

  • Serverless VPC connector - only path to database
  • Private IP networking - no public internet access to database
  • Network segmentation within Google Cloud infrastructure
Layer 4

Database Security

  • Cloud SQL PostgreSQL with private IP only
  • AES-256 encryption at rest with customer-managed keys
  • TLS 1.3 encryption for all connections
  • Database audit logging for all access

Security Challenge

For an attacker to access your data, they must simultaneously defeat:

Auth GatewayAPI SecurityVPC NetworkDatabase Encryption

Probability of successful breach: Virtually zero

Zero Direct Access Architecture

No one can directly connect to your database - including our development team. All access flows through authenticated, logged pathways.

Secure Data Flow

👨‍⚕️
Pharmacist
Authenticated user
🔐
Supabase Auth
Identity verification
☁️
Cloud Run API
Business logic
🔒
VPC Connector
Private network
🗄️
Database
Encrypted storage

Each step requires authentication and is logged.
Breaking any link in this chain blocks all access completely.

What's NOT Possible

  • • Direct database connections
  • • Admin backdoors or overrides
  • • Unlogged data access
  • • Remote database administration
  • • Data export without audit trail

Complete Transparency

  • • All access attempts logged
  • • Real-time monitoring alerts
  • • Audit trails for compliance
  • • Encrypted data transmission
  • • Regular security assessments

Password Intelligence

Every password passes through a four-stage security pipeline before acceptance. Your credentials are protected by the same techniques used by leading security organisations.

Step 01

Strength Analysis

Real-time password strength scoring using advanced pattern analysis — detects dictionary words, common substitutions, keyboard patterns, and sequences

Score ≥ 3/4 Required
Step 02

Breach Database Check

Every password is checked against billions of known compromised credentials. Uses k-anonymity — your full password is never transmitted externally

13B+ Passwords Checked
Step 03

Pattern Blocking

Common passwords, sequential patterns (123456), and keyboard walks (qwerty, asdfgh) are automatically blocked before they can be set

Keyboard Walks Detected
Step 04

History Enforcement

Your last five passwords are securely hashed and stored. Previously used passwords cannot be recycled, enforcing genuine credential rotation

Last 5 Passwords Tracked
12+ CharactersBreach CheckPattern BlockHistory CheckArgon2 Hashed ✓

Passwords are hashed with Argon2 — winner of the Password Hashing Competition — designed to be resistant to GPU and ASIC brute-force attacks.

Australian Data Residency

  • australia-southeast1 region exclusively
  • No international data transfers for patient information
  • Privacy Act compliant data handling

🇦🇺 Guaranteed: Your patient data never leaves Australian soil and remains under Australian privacy law protection.

Automatic Data Protection

  • 4-hour auto-deletion of patient transcripts
  • Immediate purging from all systems and backups
  • Complete audit trail of deletion activities

⏰ Privacy by Design: Patient data automatically expires, ensuring minimal data retention and maximum privacy protection.

Healthcare Compliance Engine

Purpose-built for Australian healthcare regulation. Every interaction is tracked, every access is logged, and sensitive data is automatically protected.

Tamper-proof

Immutable Audit Trail

Every interaction with patient data is logged — who accessed what, when, and what changed. Audit logs cannot be modified or deleted by any user, creating a tamper-proof compliance record.

2,555 days minimum

7-Year Log Retention

Audit logs are retained for 7 years to meet Australian healthcare record-keeping requirements. Security and warning events are retained indefinitely for forensic analysis.

Privacy by design

Automatic PII Redaction

Sensitive fields like Medicare numbers and credentials are automatically redacted from audit logs. The audit trail tracks access patterns without storing the sensitive values themselves.

Pre-collection consent

Patient Consent Tracking

Patient consent is recorded and tracked before any data can be collected. The consent record captures who gave consent, when, and what type — with renewal tracking built in.

Dual-layer isolation

Organisation Data Isolation

Every data query is automatically scoped to your organisation. Dual-layer isolation — application-level filtering plus database-enforced Row-Level Security — makes cross-organisation access impossible.

Right to deletion

Deletion Audit Preservation

When user accounts are deleted, audit records are anonymised and preserved. This satisfies both the right to deletion and healthcare compliance requirements simultaneously.

Built for Australian Healthcare Law. Designed to comply with the Privacy Act 1988, My Health Records Act 2012, and Australian Digital Health Agency guidelines. All patient data processing occurs exclusively within Australian borders.

ASD Essential Eight Compliance

Self-assessed against the Australian Signals Directorate Essential Eight framework — the Australian Government's baseline cyber security mitigation strategies.

Level 2

Multi-Factor Authentication

TOTP-based MFA with encrypted secrets, backup codes, and lockout protection

Level 2

Restrict Admin Privileges

Separate admin authentication, role-based access control, and Row-Level Security on all tables

Active

Patch Applications

GitHub Dependabot continuously monitors and alerts on dependency vulnerabilities

Level 2

Application Hardening

CSP, HSTS preload, X-Frame-Options, reCAPTCHA, input validation, and CSRF protection

Managed

Regular Backups

Automated daily backups via Google Cloud SQL and Supabase managed infrastructure

Managed

Patch OS

Google Cloud Run manages OS patching — immutable container runtime with no manual OS management

Managed

Application Control

Containerised deployment on Cloud Run with Pydantic input validation and DOMPurify sanitisation

N/A

Office Macros

Not applicable — Markoste is a web application with no Microsoft Office suite deployment

ASD Essential Eight Self-Assessment — Maturity Level 2

Markoste has self-assessed against the Australian Signals Directorate Essential Eight framework at Maturity Level 2 for Multi-Factor Authentication, Administrative Privilege Restriction, Application Hardening, and Patch Management. Infrastructure-level controls (backups, OS patching) are managed by Google Cloud, which holds IRAP Protected assessment. Self-assessment conducted February 2026.

50+ Security Controls In Depth

Beyond verification badges — here is a detailed view of the security controls protecting your data every second of every day.

Authentication & Identity

  • TOTP multi-factor authentication
  • Argon2-hashed MFA backup codes
  • MFA secrets encrypted at rest (AES)
  • Incomplete MFA enrollments auto-expire
  • Elliptic-curve signed sessions (ES256)
  • Session recovery preserves unsaved work
  • Elevated admin verification (server-side)

Password Security

  • 12+ character minimum with strength scoring
  • Breach database check (13B+ credentials)
  • Common password and keyboard walk blocking
  • Password history prevents reuse (last 5)
  • Argon2 hashing (GPU/ASIC attack resistant)
  • Client-side + server-side dual validation
  • 90-day password history auto-cleanup

Attack Prevention

  • Progressive account lockout after failed attempts
  • Adaptive CAPTCHA with risk-based scoring
  • IP-based API rate limiting with standard headers
  • Generic error messages prevent account enumeration
  • MFA verification attempt limiting
  • Token-based CSRF protection on all mutations
  • CORS restricted to verified origin allowlist

Injection & Input Protection

  • XML/XXE injection prevention (defused parsing)
  • Dual-layer input sanitisation (client + server)
  • Mass assignment protection with field allowlists
  • Prototype pollution key stripping
  • SSRF prevention (private IP range blocking)
  • JSON-only content type enforcement
  • Request body size limits

Data Protection & Privacy

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Database Row-Level Security on all tables
  • Organisation-scoped data isolation
  • Automatic 4-hour transcript deletion
  • Time-limited cryptographically signed file URLs
  • Deceased patient filtering from default views

Infrastructure Hardening

  • Private VPC networking (no public DB access)
  • Non-root container execution (least privilege)
  • Credentials in Google Cloud Secret Manager
  • Immutable container deployments
  • Cryptographic service-to-service authentication
  • OIDC token validation for internal messaging
  • Storage path enforcement on file uploads

Security Headers & Transport

  • Content Security Policy (CSP)
  • HSTS with 2-year max-age and preload
  • X-Frame-Options: DENY (clickjacking prevention)
  • Permissions Policy (camera, geo, mic controls)
  • Cross-Origin-Opener-Policy: same-origin
  • SPF, DKIM, and DMARC email authentication
  • Protected routes blocked from search indexing

Monitoring & Threat Detection

  • Structured JSON security event logging
  • Automatic threat severity escalation
  • Suspicious traffic pattern detection
  • Production error sanitisation (no info leakage)
  • Automatic credential redaction in all logs
  • Per-IP security event tracking
  • Real-time monitoring with escalation alerts

Secure Development Lifecycle

  • Dedicated automated security test suite
  • 80% minimum coverage on security-critical code
  • Continuous dependency vulnerability scanning
  • 6 independent third-party security assessments
  • Environment variable validation on startup
  • Database function search_path hardening
  • Audio file type validation and path sanitisation

Responsible Disclosure

We maintain a public security.txt file and welcome responsible disclosure of vulnerabilities.

View our security.txt

Verified, Audited, Trusted

Trusted by pharmacists who demand the highest security for their patient data. Independently verified by SSL Labs, ImmuniWeb, and Mozilla.

SSL Labs A+Top TLS/SSL grade
ImmuniWeb ASecurity certified
Dark Web CleanZero exposure found
Australian DataNever leaves the country
Essential EightLevel 2 self-assessed