Security and privacy

XpressOT handles real client health information. Here is exactly how we keep it safe, and where it lives.

Stored in Australia (AWS Sydney)Privacy Act 1988Encrypted in transit and at restNever trains AI on your data

Your data stays in Australia

All client and account data is stored on AWS in Sydney (ap-southeast-2). It is handled under the Privacy Act 1988 and the Australian Privacy Principles, and we operate under the Notifiable Data Breaches scheme.

Never used to train AI

Letters are generated with the Anthropic Claude API using access that is opted out of model training. Your clients information is never used to train any AI model.

Encrypted end to end

Every connection uses TLS 1.2 or higher, and all data is encrypted at rest. Nothing travels or sits in the clear.

Isolated by design

Row-level security is enforced in the database itself, so each practitioner can access only their own clients and letters, never anyone else. This has been independently tested for access-control flaws.

Access you control

Sign in with email and password, add optional two-factor authentication, and Solo accounts are pinned to one active session so a shared password cannot be used in two places at once.

Diagnostics without your data

We monitor errors to keep the service reliable, but client health information and personal identifiers are stripped out before any diagnostic leaves our servers.

Hardened by default

A strict Content-Security-Policy, HSTS, anti-CSRF checks, and rate limiting are enforced on every request to defend against common web attacks.

You own your data

Download any letter as a Word file at any time, and delete your account whenever you choose. After cancellation your data is kept for 30 days so you can export it, then permanently deleted.

Payments handled by Stripe

All billing runs through Stripe (PCI DSS Level 1). XpressOT never sees or stores your card number.

Tested against real threats

XpressOT is built and tested against the OWASP Top 10, including independent penetration and access-control testing.

Transparent about sub-processors

A small number of trusted providers help run XpressOT (hosting, AI generation, payments, email). The full list, and any overseas disclosures, is set out in our Privacy Policy.

Report a vulnerability

Found a security issue? We want to hear about it. Email privacy@xpressot.com.au and we will respond promptly.

© 2026 XpressOT · Privacy Policy · Terms of Service · Security