Data Security Policy

1. Overview

EzyTCM is a practice management platform operated by EZY TCM Pty Ltd (“EzyTCM”, “we”, “us”, or “our”).

EzyTCM is committed to providing a secure, reliable, and professionally managed practice management platform for Chinese medicine and allied health practitioners.

This Data Security Policy outlines the administrative, technical, and physical safeguards implemented by EzyTCM to protect the confidentiality, integrity, and availability of data processed through the EzyTCM platform.

This policy should be read in conjunction with our Privacy Policy and Terms of Use.

2. Scope of This Policy

This policy applies to all data created, stored, processed, transmitted, or accessed through the EzyTCM platform, including but not limited to:

• Patient personal information and health information
• Clinical records, consultation notes, prescriptions, and treatment-related data
• Appointment scheduling, billing, invoicing, and payment-related data
• User account information, access records, and system audit logs
• Platform configuration and operational metadata

This policy applies to all clinics, practitioners, authorised staff, EzyTCM employees, contractors, and approved third-party service providers who access or manage platform data.

3. Our Data Security Principles

EzyTCM’s data security framework is based on recognised industry practices and is guided by the following principles:

• Least-privilege access: users are granted only the minimum level of access required to perform their role
• Defence in depth: security controls are implemented across multiple layers, including infrastructure, application, and user access
• Segregation of data: data belonging to different clinics is logically isolated to prevent unauthorised cross-access
• Continuous risk management: security controls are periodically reviewed and improved
• Shared responsibility model: EzyTCM secures the platform infrastructure, while clinics are responsible for their internal access management and device security

4. Technical and System Safeguards

4.1 Cloud Infrastructure and Hosting Environment

The EzyTCM platform is hosted on Amazon Web Services (AWS), using cloud infrastructure designed to meet recognised international security standards.

AWS data centres supporting the platform are certified against standards such as ISO/IEC 27001, SOC 1, SOC 2, and SOC 3.

Platform services are deployed within logically isolated virtual private cloud (VPC) environments to reduce exposure and limit attack surfaces.

4.2 Network Security

Network-level protections include:

• Virtual firewalls and security groups restricting inbound and outbound traffic
• Network segmentation between application layers
• Use of secure load balancing and traffic routing
• Monitoring for abnormal traffic patterns and potential intrusion attempts

These measures are designed to reduce the risk of unauthorised network access.

4.3 Data Encryption

EzyTCM uses encryption technologies consistent with industry best practices:

• Data is encrypted in transit using secure communication protocols (such as TLS)
• Sensitive data is encrypted at rest using strong encryption algorithms
• Cryptographic keys are managed and rotated in accordance with platform security practices

User passwords are never stored in plain text and are protected using secure, non-reversible hashing mechanisms.

4.4 Access Control and Identity Management

Access to the EzyTCM platform is governed by identity and access management controls, including:

• Role-based access control (RBAC) to restrict system functions and data access
• Logical separation of clinic data within the application
• Restricted administrative access with additional authentication requirements
• Session management and automatic timeout mechanisms to reduce unauthorised access risks

4.5 Logging, Monitoring, and Auditing

EzyTCM maintains logging and monitoring processes to support security and compliance, including:

• Logging of authentication events and key user actions
• Centralised log storage with restricted access
• Monitoring for anomalous or suspicious activity
• Use of logs for incident investigation, troubleshooting, and compliance reviews

5. Data Backup and System Availability

EzyTCM takes reasonable steps to support data durability, system resilience, and business continuity.

These measures include:

• Automated and scheduled backups of production data
• Storage of backups in encrypted and logically separate environments
• Use of redundant infrastructure components to support availability
• Documented procedures for system recovery and service restoration

While these controls are designed to reduce the risk of data loss and prolonged outages, EzyTCM does not guarantee uninterrupted availability or the prevention of all data loss scenarios.

6. Use of AI and Automated Features

EzyTCM may provide AI-assisted or automated features, such as transcription, data structuring, or workflow support tools.

• AI features are intended to assist clinical and administrative workflows only
• AI-generated outputs do not replace professional judgment or clinical responsibility
• Patient data is not used for training AI models without appropriate authorisation
• Clinics remain responsible for reviewing, validating, and approving AI-assisted outputs

7. Third-Party Service Providers

To deliver its services, EzyTCM may engage third-party providers, including cloud infrastructure, analytics, or communication services.

• EzyTCM seeks to engage providers that maintain appropriate security and privacy controls
• Third-party access to data is limited to what is necessary to perform contracted services
• EzyTCM does not control or warrant the security practices of third-party systems beyond its contractual arrangements

8. Security Incidents and Data Breaches

In the event of a suspected or confirmed security incident, EzyTCM will take reasonable steps to:

• Assess the nature, scope, and potential impact of the incident
• Contain and mitigate risks where practicable
• Comply with applicable notification obligations, including under the Notifiable Data Breaches (NDB) scheme

9. Clinic and User Responsibilities

Clinics and users are responsible for:

• Protecting account credentials and access devices
• Ensuring system access is limited to authorised personnel
• Managing staff permissions and access roles appropriately
• Ensuring that exported or locally stored data complies with applicable privacy and health information laws

EzyTCM is not responsible for security incidents arising from a clinic’s internal systems, devices, networks, or access management practices.

10. Policy Updates

This policy may be updated periodically to reflect changes in technology, platform features, legal requirements, or industry standards.

The most current version will be published on the EzyTCM website and will include the updated “Last Updated” date.

11. Contact Us

For questions about data security or to report a security concern, please contact:

security@ezytcm.com

EZY TCM Pty Ltd

Adelaide, South Australia