Security responsibilities

Health and payments information is sensitive and our users have an expectation of privacy and confidentiality over the data we process. We believe that our platform should be safe, secure and provide a high integrity of service. To fulfil this, we treat security, privacy and processing integrity as our our top priority.  

Control highlights

  • We only store information necessary for providing our services and only for the period required to meet operational or regulatory responsibilities.
  • Sensitive, private and confidential health information is processed and stored exclusively in Australia.
  • Payment card details are encrypted and hosted on an audited, PCI compliant, system.
  • Health account information is protected through an advanced tokenisation system, similar to that employed by leading banks and payment processors.
  • Data is encrypted end to end through strong TLS ciphers which provide protection beyond SSL.
  • Our hosting partners abide by best practice security frameworks including: ISO27001, Australian InfoSec Registered Assessors Program (IRAP), SOC 1, SOC 2 and PCI DSS.
  • We are internally guided by leading risk, security and privacy control guidance including ISO27001, OWASP secure coding guidelines, AS4360 and the Royal Australian College of General Practitioners standard on management of health information and privacy.
  • We undergo regular independent auditing and employ subject matter experts across our security framework to identify potential issues and to enhance control effectiveness. 

Have questions about security or privacy? Contact us at security@medipass.com.au.

Have a issue to report or want to send an encrypted message? Find our encryption key below. 

Responsible disclosure of security vulnerabilities

If you’ve discovered a security vulnerability in our platform or service, please email us at security@medipass.com.au. We will respond promptly, usually within 24 hours. To help us resolve the issue quickly, we provide these guidelines when reporting:

  • provide medipass with full details of the discovered issue;
  • in the best interests our users and their data, please do not publicly disclose the issue until it has been addressed by medipass;
  • never purposely disrupt services for other users;
  • never attempt to access or modify data from other users; and
  • to keep everyone safe, please act in good faith towards our users’ privacy and data during your disclosure.

We won’t take legal against you or administrative action against your account if you act accordingly.

Although we do not have a security “bounty program”, we’ll make best endeavours to recognise your goodwill. You’ll also gain our praise and #madrespect.

Encrypted messages

Our GPG / PGP key is as follows. You may use this key to encrypt your communications with Medipass.

Account: security@medipass.com.au

Key identifier: E519747D

Key type: RSA

Key size: 4096

Public keyservers: hkps://hkps.pool.sks-keyservers.net

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFzZBqEBEACze+KQRtgX2Ap35X4D/vH+5Bm9maNa+Pe9eNJSp2DLrnXIFqPh
5FUuIYws7jOvUYW/sBh/Vl493QaJewUPZ07C/WFrtIq4qewDB99RIh25rQQsec3P
2nvKI/qN0EyEpqkk/28dd8CzaJwdjGkziKOBLDKoe522IWRSdKsG9Z8YbiXwCG8W
JwtPBiVZ5t/ZcNUn5cG6Sf84Qy09gdQ4L1W8593IuYdRU7D8MQnLUeW69Po70H1u
QY3zuAm2I98ROgmSOm4jxINroBxQp1kwDr/k38+FJMfGhBLH6Th8njJ+OCJOrNfq
Z7JY1mwuJCu9PoX1I8ybO6KMqS1BCwtayj8Oae41/0WSQ/MGELErMUCOl+bZnr48
oj/Ha0SNm0y+/KFHEAoC0fadi74vpT+OCg61l0ylMx60NbyanahlJy6xNewEms0h
XytpRfJVjBMRYZsjIk6cuYLRSE7ObHa5sFvjrsWduA2eBk77d87VR9EpeIF2HHLJ
tuThTcYSMZ/F7CSSgJVNFCSCb9Rb1Shx9q/fY5Rr0iLCURuw159VDgzZcvYSk6RG
HzXQpUiejPVz/qm1mD48uJl4qfXfXHnNY8CcOq6qK77Ih6CKYMTtgG8oJsZhBQtE
+X2o0IOIJbPpRpZwXTmBppuu44lxNF+76y3a83EYm//8fbSGqBcme4kFSQARAQAB
tDNzZWN1cml0eUBtZWRpcGFzcy5jb20uYXUgPHNlY3VyaXR5QG1lZGlwYXNzLmNv
bS5hdT6JAlQEEwEKAD4WIQR4ybJnPmhtcZHkBjeDpaK85Rl0fQUCXNkGoQIbAwUJ
C0nYAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCDpaK85Rl0fakdD/4+xOWv
rYeJgqEnsshPM6J0DkjaQwUWCfw60f0+Ahsmgcw9tb1iVGnkbiNbwgbV5nl0ztgR
wKt66Yuu2jvWEgr4R333SsWvVFlipxPphIszaIfOKNssj4j5c0m8CMWyD50ABfZ1
9MxS3PUmUDhLB8UbuXF8bvHpPUsNcwPEB9f4YbwhN3WwvbtpXGGexX5OR4qSQgzu
qOTH3w1X4u6HkpLfF9x0HmsNJ3uVOSOb1nXw7UMbMpEMbomk/kI9/6HjoGe7YRpo
Wy1v9Z6CRmkIvAvk3bEXABVq1eTjfo0fu4lFhKba8PaNjnGNWhOaTbe8xn7wTuE3
an/4CyzgJn2pIsui2Z8EVzie4Bkoxw0nkIze/CGMgLPtgX4bm4zpMpBVm5NhNzqS
4qsSeAK7z0k41UvI9hy87cuVqR1ZsgWKlMFQNdTJ01gb4ia5qJtiwwOC1COKWmFx
I6EDwWh7lZaH42TzqHp7q6ivos07hcuL76FZJbjVGzGYo5V6GC2gaJY4HMEwWRuc
jAD1cahKn0s5O0xMsILVPmVq/8JWxUtoOyaCbj9DjEeZMibNHCNwzxSJZZhXuv2k
u0WgbdFzpkFcRBk8PaMXVXD0djNd9+xB0CJNDg9hEhZb0ussh2v7cCGY8jFu5clo
9cYYuhEF0StAAbjtERGcA7NMNAd19rgMW2FrJrkCDQRc2QahARAAyynv632iY8x2
l+E06Gf1hjrZR0/Xzi1/AjtvUwduzzfqcOv8U9IpJ+WYAYvkCHrjctU7VRdxCKpT
bjHf6vTvs8QB6BCtBookNLl7H2Se0UBZtcYtQu/0E28fh0aUz45ToNlaY98oOEXR
XNlzNU4ioH+Bq6LQNcTaoORkGsJNbeW1zcIq3eVRrXSDtrwdCdEyttAUZkpd46wd
OZrPI3ip5ElhD0vZHLu46IcTx25KHLa0rTcmxbkR7/IPI747GKC9AZgX+Co+C7p0
mLjGZSlxC6pHSke7exX2n1nWXD3PGfoCpaoqtDwO8MFvZrWpihICOQTu14RAyUXw
yPeXDGgUvexcjAEOlEz/oz3qMpFeG9cvfXF3wP0amoMDfm3qFAPpGILUcqEXcx2L
4Qy7POXYYhM2L96PBnn8qpYd9k54lXPsDIwRWp3oAg+TjiHE6qmykUCBVDVgJ/zS
iPGrbEilfxSPG9UzUMS50h9og/dVfnQI5fIV9mzrHsCzIRnlnwPFlBO2zRHeByqS
VY59cDBm0lOzp/wLh9IUMjx/64vOpustONIgqwc7YKPq9zdZqsWy269reoRAscB3
OJj6YAQWBWX8wHj+BMj/8fS/LPugCGVrla/iigRGGHL28IbATUo5cnVfiO/yAmIw
sexd6KC7ev5wEn02ODLqUCnsrrdt08sAEQEAAYkCPAQYAQoAJhYhBHjJsmc+aG1x
keQGN4OlorzlGXR9BQJc2QahAhsMBQkLSdgAAAoJEIOlorzlGXR9ux8QAJTtIyX7
RnMnvAIApoQXAlJQTm64n5NmbUY3ag84Te+QBvoZcprIPqnGvfmecBm671Gp5OC8
rKNImE9ngfFs6/vSGLLVuwho2yO4H5q+Xx3T3VT41+XSxuQz3GmtcMMHypNQDtiU
n8WTCyxDK2nU1n6cURO6QAPnITBoP6QUWXkLC+762sIwDP8mWOTr6nDKbXA/MfqD
k9KWiPU98z8vMuqZauRrzbiboZFaFmSwOKNVLcXRlElyAjAsKb8140xHJHLs0Eb+
heokJ+71hxs4CJXlrZ+/Dxckc7XjVyuy4VT15qY2lJ00Rj2ssJug/1NyOrJNwbba
7erKEsAQVi0Hi0RKuETncl9PUL8A4ATpFDeNFKakKdc9dsZwgosb6GCf4Rm99vf2
9dfSJXcLn9bnP01HuPTpAoZncdTG3fxqtAvL9X0AITVYp9rPZAJPUoxSg27YmNGo
C0icpa9tEGCUskmJMJSbnwf/M4gimRMZMC/joSh9aeTSMn3lcJQRkeW/z0JJA5cp
aUYpDwBQqNyGmJbbb7dbIc4QuDe0AXaHskb+/458/rXBqhmNYpEg11g3gB2CyXkW
Y+3iAGSXLQ4a27mmgvnGQ0agSS3n3WFXT4NUexsUrcy+HSceCARXOk/T1LehSycg
VsmGBXl8hp/kjKXrv3qpkGgv4za9k648XjSF
=StJQ
-----END PGP PUBLIC KEY BLOCK-----