Data Residency
Last updated: 1 February 2026
1. Australian Data Sovereignty
Voral.ai is committed to keeping Australian healthcare scheduling data in Australia. We understand that data sovereignty is not just a compliance requirement — it is a trust obligation to the practices and patients we serve.
All scheduling data, voice recordings (where retained), and patient contact information are stored exclusively within Australian data centres.
2. Infrastructure
- Application hosting: Deployed exclusively in Sydney, Australia on SOC 2 Type 2 certified infrastructure with HIPAA Business Associate Agreement. Encrypted storage at rest.
- Voice infrastructure: Real-time voice communication is processed in-session with Australian routing priority. No audio is stored beyond the active session unless explicitly configured.
- Database: Primary data stores are hosted in Australian regions with automated backups retained within Australia.
3. Data Categories & Storage
| Data Category | Storage Location | Retention |
|---|---|---|
| Scheduling records | Australia (Sydney) | Duration of contract + 7 years |
| Voice recordings | Australia (Sydney) | 90 days (configurable) |
| Transcriptions | Australia (Sydney) | Duration of contract + 7 years |
| Practice configuration | Australia (Sydney) | Duration of contract |
| Analytics (aggregated) | Australia (Sydney) | Indefinite (de-identified) |
| Platform logs | Australia (Sydney/Melbourne) | 90 days |
4. Third-Party Sub-processors
| Provider | Purpose | Data Location |
|---|---|---|
| Cloud hosting provider | Application infrastructure | Sydney, Australia |
| Voice platform provider | Real-time voice communication | Session-only processing, no data retention |
| PMS providers | Practice management system integration | Australia (practice-hosted or AU-region cloud) |
5. Encryption
- In transit: TLS 1.3 for all API communications and voice streams. DTLS-SRTP for WebRTC media.
- At rest: AES-256 encryption for all stored data. Encryption keys managed via a dedicated key management service.
- Voice streams: End-to-end encrypted during active sessions. No unencrypted audio is stored at any point.
6. Cross-Border Transfer Policy
We do not transfer personal information or scheduling data outside of Australia. In the limited cases where a third-party service may process metadata (e.g., error logs, anonymised performance metrics), we ensure compliance with APP 8 (cross-border disclosure) and require contractual guarantees equivalent to Australian privacy protections.
7. Compliance Frameworks
- Australian Privacy Act 1988 (Cth) and the 13 APPs
- My Health Records Act 2012 (Cth) — applied by analogy for health-adjacent data
- Notifiable Data Breaches (NDB) scheme
- ACSC Essential Eight security controls
- SOC 2 Type 2 (infrastructure provider certified)
- HIPAA (Business Associate Agreement with infrastructure provider)
8. Contact
For questions about our data residency practices, contact us at privacy@voral.ai.