Privacy overview
How Auraso approaches data in typical deployments.
Draft — privacy/legal review required
This privacy overview is a draft and should be reviewed by a qualified legal or privacy professional before production use.
1. Scope
This overview describes categories of information Auraso products may process. Your organisation's deployment, data processing agreement, and subprocessors list (if any) take precedence where they exist.
2. Account and authentication data
We typically process identifiers needed to operate accounts — such as name, email address, role, tenant membership, password hashes (not plaintext passwords), and session tokens. Security logs may record IP address, user agent, and coarse event metadata.
3. Tenant and user profile data
Organisation names, configuration choices, and user profile fields you supply may be stored to support collaboration inside the workspace.
4. Evidence reference data
Evidence items may include titles, descriptions, statuses, review dates, module associations, and references (for example URLs, locator text, or notes describing where material can be found). By design, Auraso is oriented toward references rather than hosting authoritative copies of sensitive documents.
5. Operational registers and assurance content
Register entries, operational assurance mappings, workflow statuses, and similar operational metadata may be stored to provide the features you use. You should avoid entering participant identifiers unless your policies and legal basis expressly permit it.
6. Audit and activity logs
The platform may record administrative and user actions needed for accountability, troubleshooting, and security monitoring — for example who changed a record and when. Retention periods should be defined in your agreement or administrator documentation.
7. Usage and security telemetry
Limited technical telemetry (errors, performance signals, aggregated usage) may be collected to operate and improve the service. A subprocessors and analytics section should be completed before production launch.
8. No intentional bulk document vault by default
Auraso is not marketed as a primary document repository. Organisations should continue to govern retention, encryption, and access in their authoritative systems of record.
9. Sensitive information warning
Users should minimise personal and sensitive information in free-text fields. Where optional warnings appear in the product, they are reminders — your organisation remains responsible for classification and handling.
10. Data security approach (high level)
Typical controls include logical tenant separation, role-based access, encrypted transport in transit, and industry-standard password handling. Auraso is hosted in Australia. Exact controls depend on deployment; your security pack should describe production configuration after review.
11. Third-party services (placeholder)
Hosting, email delivery, error monitoring, or analytics subprocessors may apply. Publish an up-to-date subprocessor list and data processing agreement before handling regulated health information at scale.
12. Retention
Retention should follow your subscription terms and administrator configuration — for example how long audit logs are kept after offboarding. This marketing page does not set a fixed retention schedule.
13. Access and correction requests
Individuals seeking access to personal information should contact their organisation's administrator first. Where Auraso acts as a processor, the controller coordinates responses.
14. Contact
Privacy questions: hello@auraso.com.au
Support: support@auraso.com.au