Security + Compliance
Lamassu Care is built for provider teams that need strong security, clearer compliance visibility, and practical controls around billing workflows, documents, and day-to-day access.
The NDIS Practice Standards set principles-based information management obligations rather than naming specific algorithms. Where we say a control exceeds baseline, that is our implementation-based interpretation against the NDIS standards and OAIC privacy guidance.
For operations context, review our billing workflow guide and software vs spreadsheets comparison.
Security highlights
Your saved data is strongly locked
We encrypt stored information so it is unreadable without the right key (AES-256-GCM).
Data is protected while moving online
Connections are forced to secure HTTPS so information cannot be easily intercepted in transit (TLS 1.3 + HSTS).
Safer sign-in without relying on passwords
Staff can sign in with passkeys like Face ID, fingerprint, or device PIN to reduce phishing and weak-password risk (WebAuthn).
Recoverability if something goes wrong
We create encrypted backups every day to help restore data after incidents or mistakes.
Security controls
Exceeds the principles-based baseline
Sensitive data including participant names, NDIS numbers, user contact and banking fields, and activity logs is encrypted using AES-GCM with 256-bit keys for confidentiality and integrity.
NDIS information management + OAIC encryption guidanceExceeds the principles-based baseline
Passwords are stored with PBKDF2-SHA512 hashing rather than reversible storage, aligning with OAIC guidance that strong hashing is part of sound password protection.
OAIC password hashing guidanceAll traffic is protected with TLS 1.3 and forward secrecy. HSTS is enabled to force HTTPS.
OAIC encryption guidanceExceeds the common authentication baseline
Passwordless authentication is supported through passkey registration and assertion, reducing phishing risk and going beyond the baseline requirement for appropriate authentication controls around sensitive information access.
OAIC authentication and multi-factor guidanceSecure, HTTP-only, SameSite cookies are used with server-side session protection and short-lived auth tokens.
OAIC access security guidanceServer-side CSRF tokens are required on form posts and sensitive endpoints.
OAIC access security guidanceRate limiting on login and sensitive APIs reduces abuse, slows automated attacks, and helps protect platform availability.
OAIC risk-based security guidanceDaily encrypted backups are maintained, with row-level locking for data integrity.
OAIC backup and destruction guidanceSupport Worker, Admin/SC, HR Manager, and Director roles are available with least-privilege defaults.
NDIS information management + OAIC access security guidanceThese implementation details are available for technical review and procurement due diligence.
Contact our team for a tailored walkthrough of controls, governance processes, and implementation planning for your organisation.
FAQ
Short answers for provider leadership, procurement, and IT stakeholders reviewing Lamassu Care.
Lamassu Care uses encryption at rest, TLS 1.3 in transit, secure session controls, and role-based access to reduce data exposure and support safer day-to-day use.
Lamassu Care is designed for provider teams that need stronger workflow controls, audit visibility, document oversight, and security practices that align with NDIS and NDIA-focused operational expectations.
Yes. Lamassu Care can walk procurement, compliance, or IT stakeholders through implementation notes, security controls, and rollout considerations for provider teams.
