Security is infrastructure, not a feature.

All Oexa systems store and process data exclusively within Australia. We do not route health data through offshore infrastructure. This applies to all products — Scripty, Light, and the Managed Intermediary API.

All data stored in Oexa systems is encrypted at rest. All data in transit is encrypted using TLS 1.2 as a minimum supported version. Oexa enforces HTTP Strict Transport Security (HSTS) with a max-age of one year and preloading enabled. Internal service-to-service communication is further protected with mutual TLS (mTLS).

Security is built into every layer of Oexa’s systems. Our engineering and operations teams collaborate on threat modelling and system design, conduct rigorous code review, maintain hardened deployment infrastructure, and enforce strict corporate security policies. Abstractions are used to minimise the surface area for human error.

Oexa engages independent security specialists to conduct penetration testing across all products and infrastructure on a regular cadence. These assessments simulate real-world attack scenarios to identify and remediate vulnerabilities before they can be exploited. Findings are triaged, tracked, and resolved as part of our ongoing security program.

Oexa monitors for and actively mitigates anomalous traffic patterns and volumetric attacks. Our infrastructure is designed to remain available under adverse network conditions, protecting uptime for health consumers, pharmacists, and connected systems alike.

Access to Oexa systems is governed by the principle of least privilege. Role-based access controls (RBAC) are enforced across internal tooling and production infrastructure. All administrative access is logged and subject to review.

Oexa is currently pursuing ISO 27001 certification. Our security management practices are already aligned to the standard’s requirements, and formal certification is underway. We will update this page when certification is complete.

As a participant in Australia’s digital health ecosystem, Oexa operates in accordance with the requirements of the Australian Digital Health Agency (ADHA) and applicable obligations under the My Health Records Act 2012. Our infrastructure is designed to support compliant integration with national health record systems.

Oexa maintains a documented incident response plan covering detection, containment, communication, and post-incident review. In the event of a security incident affecting customer or patient data, Oexa will notify affected parties in accordance with applicable obligations under the Privacy Act 1988 and the Notifiable Data Breaches scheme.

If you believe you have identified a security vulnerability in any Oexa product or system, please contact us at security@oexa.co. We are committed to working with researchers and partners to investigate and resolve legitimate reports promptly.