Trust & Security

Security

Teiro stores records about the people you support. Here is how we protect that data.

Last updated: March 2026

On this page

Overview Data hosting Encryption Access control Backups and recovery Incident response Certifications and roadmap Responsible disclosure

Overview

Teiro stores records about the people you support. That includes care plans, carer details, incident reports, and compliance documents. We treat the security of that data as a core responsibility, not an afterthought.

This page covers how we host, encrypt, control access to, and recover your data. For details on how we collect, use, and retain personal information, see our privacy policy.

To report a suspected security vulnerability or request a security questionnaire, contact security@teiro.com.au.

Data hosting

All Teiro customer data is stored in AWS ap-southeast-2 (Sydney, Australia). This applies to your organisation's records, carer profiles, care plans, job history, and all associated documents.

Data residency in Australia is not a configuration option or an add-on. It is the default for every customer on the platform.

Transactional emails (notifications and alerts sent through the platform) are delivered via a third-party email service. Some email routing may pass through international infrastructure in transit, which is standard for email delivery. The underlying data remains in Australian-region storage.

If we ever change where data is stored, we will notify affected customers in advance.

Encryption

Data in transit

All communication between your browser or mobile device and Teiro servers is encrypted using TLS 1.2 or higher. HTTPS is enforced across all endpoints. There is no plaintext fallback.

Data at rest

All database storage and backups are encrypted using AES-256. This includes care records, documents, and any files uploaded to the platform.

Key management

Encryption keys are managed by AWS Key Management Service (KMS). Keys are not stored alongside the data they protect.

Access control

Access to data within Teiro is controlled at multiple levels.

Organisation isolation

Each organisation's data is logically separated. Users in one organisation cannot access another organisation's records.

Role-based permissions

Within an organisation, access is governed by roles: admin, scheduler, carer, and approver. Each role has a defined set of permissions. Organisations can configure role access to match their operational requirements.

Two-factor authentication

Two-factor authentication is available for all user accounts. We recommend enabling it for all admin and scheduler accounts.

Production system access

Access to Teiro production infrastructure is limited to authorised engineering staff. Access is audited and reviewed regularly. No shared credentials are used.

Backups and recovery

Teiro performs automated daily backups of all customer data. Backups are retained for 30 days and are encrypted using the same standards as production data.

Point-in-time recovery is available, allowing restoration to any point within the backup retention window.

Restoration procedures are tested regularly to verify that backups are usable and recovery time objectives are met.

Incident response

Teiro maintains an incident response process covering detection, containment, investigation, and notification.

In the event of a data breach, we will notify affected customers within 72 hours, in accordance with the Notifiable Data Breaches (NDB) scheme under the Australian Privacy Act 1988 (Cth). Notifications will include what happened, what data was involved, and what steps we are taking.

To report a suspected security incident, contact security@teiro.com.au. Please include as much detail as you can about what you observed.

Certifications and roadmap

Teiro does not currently hold ISO 27001 certification. We are working towards it.

Our security practices are aligned with ISO 27001 principles: risk assessment, access management, encryption, incident response, and regular security reviews. We believe in building the substance first and formalising it through certification as the organisation matures.

Enterprise customers can request a security questionnaire. Contact security@teiro.com.au.

Responsible disclosure

If you discover a security vulnerability in Teiro, please report it to security@teiro.com.au. We ask that you give us reasonable time to investigate and respond before any public disclosure.

We will acknowledge your report within 2 business days and keep you informed as we investigate.

Email: security@teiro.com.au

For vulnerability reports, please include steps to reproduce the issue, the potential impact, and any supporting evidence. We do not operate a bug bounty programme at this stage.