All data in the Caia App is encrypted. We use Amazon Web Services with servers located in Australia to store information securely on Amazon RDS (Relational Database Service). Passwords are transmitted using TLS (Transport Layer Security) but are never stored.
Within the Caia App, all exchanged data is also encrypted. This applies to any the audio and video data, and also to all other data shared that may be used by the App. Any telehealth component used by Caia aims to adopt state-of-the-art security mechanisms for all connections and particularly for its WebRTC implementation. Connections between browser and Application Server, Signalling Server, or STUN/TURN are all TLS-encrypted and authenticated, with strong cryptography and proper certificate checks. Security for WebRTC communication is enhanced by having the Signalling Server facilitate the cryptographic setup for browser-to-browser communication: browsers securely establish a shared key for every data channel.The TLS protection for STUN/ TURN negotiation ensures that no re-routing of video call communication can take place, either.
As befits a distributed system, all components of the Caia App ecosystem are hardened against attacks.
The Caia App services is compliant with government privacy policies in Australia.
The service conform with the Australian Privacy Act 1988, the Australian Privacy Principles (section 8) relating to data sovereignty and, wherever practicable, the Australian Government Information Security Manual (ISM).
Because of the peer-to-peer nature of some of Caia’s data shared in actual between participants is only ever available in decrypted form only to the participating endpoints of the call. All other intermediaries that forward the call can only see encrypted data. This applies to audio /video data as well as all information exchanged in the session such as chat messages, documents that are being shared. By default, video calls do not store any of the shared data from calls.
Once Australian data or management moves offshore, it is no longer tightly controlled and is subject to the laws of a foreign country or the practices of a foreign corporation. Allowing foreign companies to access and control Australian’s data will not protect the existing rights of Australians to have their privacy and data adequately protected. Sensitive data about Australian citizens must therefore be stored on an ASD (Australian Signals Directorate) certified cloud that can guarantee information is not accessible by foreign governments and their allies.
Caia has therefore taken a approach to hosting only within the AWS (Amazon Web Services) cloud, which has been certified by the ASD’s IRAP (Information Security Registered Assessors Program) which provides assurance that AWS has in place the applicable controls required by the ISM (Australian Government Information Security Manual). As part of that:
i. Personal health data is used solely within the Australian legal jurisdiction.
ii. The confinement of all data storage is restricted to onshore data centres. Security protocols and systems are kept in Australia and within ASD requirements. Commonwealth primacy in all aspects of operation and access to the cloud system.