Back to Home

Safety & Security

Data protection built around Australian clinical obligations

Virtuosa runs entirely in Australia — data and AI inference stay in the AWS Sydney region. It is built to support confidentiality, privacy, and responsible use of AI in psychology practice. AI output remains a drafting aid, and final report approval remains with the psychologist.

Server-side API keys
Clinician sign-off
AU-resident AI (Sydney)

Confidentiality & isolation

Client material is treated as sensitive health information — encrypted in transit and at rest, scoped to the signed-in practice, and isolated in the database with PostgreSQL Row-Level Security.

Australian data residency

Data and AI inference stay in Australia: PostgreSQL and S3 run in AWS Sydney and Claude runs on Bedrock's au.* inference profiles. The database is private (no public access) and reached over a VPC.

Clinician in the loop

Drafts expose their source context, missing information and reasoning so the psychologist reviews and approves every report before it is used or shared.

AI provider gateway

AU-resident inference, controlled from the Australian backend

Model calls are routed through the Go backend in Sydney, not the browser. That lets Virtuosa keep credentials private, enforce audit rules, and pin inference to Australian (au.*) Bedrock profiles.

AWS Bedrock (Sydney)Claude Sonnet and Haiku run on Amazon Bedrock's Australian (au.*) inference profiles. The provider layer refuses non-Australian profiles, so clinical prompts and generations stay in-region.
Server-side isolationEvery model call is made from the Go backend — API keys, prompts and audit settings never reach the browser, and the AI endpoints require an authenticated, entitled session.
On-device & in-processVoice replies are synthesised on the clinician's device and PDFs are rendered in-process, so report content is not handed to additional third parties.

Operational controls

Controls in place today

Trust Centre

The providers Virtuosa is built on

Virtuosa runs on a small set of vetted providers. Each publishes its own security and compliance material — reviewed here at face value, linked directly so you can verify.

Amazon Web Services

Hosting and AI infrastructure — everything runs in the AWS Sydney (ap-southeast-2) region: the application, PostgreSQL, document storage (S3) and Claude inference on Amazon Bedrock.

AWS Compliance Programs

Anthropic

Maker of the Claude models Virtuosa uses. Models are served through Amazon Bedrock in Sydney — client content is processed in-region and is not used to train models.

Anthropic Trust Centre

Stripe

Subscription billing. Stripe handles card details end-to-end; Virtuosa never stores payment credentials and no clinical content is shared with Stripe.

Stripe security documentation

Postmark

Transactional email — password resets, team invitations, and report delivery when a clinician chooses to email a report.

Postmark security