Last updated: 11 June 2026
Overview
You own your data. The clinical and business data you store in Nookal belongs to you and your Clinic — not to us. We host and process it only to provide the service, you can export it at any time, and we never sell it or allow it to be used to train third‑party AI models.
Security and the protection of your data is our highest priority — no exceptions. This page explains how we build, operate and verify the security of Nookal.
At a glance:
- Secure by design: layered controls across people, process and technology;
- Data protection: encryption in transit and at rest; least‑privilege access;
- Customer controls: role‑based permissions, granular access, audit trails, IP/geo controls, SSO (not on all plans);
- Reliability: resilient infrastructure, backups and tested recovery procedures;
- Privacy and compliance: Nookal operates globally and aligns its privacy, security, and cookie practices with applicable laws in the regions where our services are used, including the Australian Privacy Act 1988, GDPR/UK GDPR and ePrivacy/PECR, US state privacy laws (e.g., CCPA/CPRA), Canada’s PIPEDA, South Africa’s POPIA, and other local requirements. We implement region‑aware consent and rights workflows, approved international transfer safeguards (e.g., SCCs/UK Addendum), and provide contractual commitments such as a Data Processing Addendum and, where applicable, HIPAA Business Associate Agreement;
- Security assurance: SOC 2 Type 2 certified; independent penetration testing; compliance documentation available on request;
- Payments: card entry and processing are handled by PCI DSS validated payment processors. Nookal does not store full PAN, CVV or PIN on Nookal servers or in Nookal databases.
Data Security
Encryption
- In transit: Connections to Nookal services are protected using HTTPS/TLS with modern cipher suites.
- At rest: Production data and backups are encrypted using industry‑standard encryption, such as AES-256 where supported by the underlying service.
Access Management
- Least privilege: Production access is restricted to authorized personnel based on role and necessity.
- Authentication: Strong password policies are enforced. Single Sign‑On (SSO) and 2-factor authentication is available.
- Session security: Sessions time out after inactivity and are protected against common session attacks.
For authenticated customers with an account, the following customer security features apply:
- Roles and permissions: Fine‑grained access controls to restrict who can view, edit and export sensitive data;
- IP/geo restrictions: Limits access based on IP range and/or geographic location (available on relevant plans);
- Audit logging: Key user activities are logged to support security reviews and compliance;
- Invoice locking and advanced security settings: To reduce the risk of unauthorized financial changes;
- APIs and webhooks: API keys, scopes and rate limits.
Application Security
- Secure development: Secure coding practices (SSDLC), peer review, and change management for code and infrastructure changes;
- Dependency and vulnerability management: Continuous monitoring and remediation of vulnerabilities;
- Security testing: Ongoing internal reviews and periodic independent testing. Summary reports are available under NDA.
Infrastructure Security
- Environment separation: Production systems are logically separated from development and testing;
- Hardening and monitoring: Systems are configured to security baselines and monitored for anomalous activity;
- Backups: Encrypted backups conducted on a regular schedule; restorations tested for integrity. Please see our ‘Backups’ page for more information: https://www.nookal.com/backups
Protecting Your Account
Security is a partnership — we secure the platform, and these simple steps secure your account:
- Turn on two‑factor authentication (2FA): for every user, or use Single Sign‑On (SSO) where available on your plan;
- Use roles and permissions: so each team member can access only what their role requires, and remove access promptly when staff leave;
- Use strong, unique passwords: — a password manager makes this easy — and never share logins between staff;
- Review third‑party access: — only enable the integrations and API keys you actively use, and revoke any you no longer need;
- Restrict where your account can be accessed from: using IP/geo restrictions (available on relevant plans);
- Keep browsers and devices updated: , and lock screens in shared clinic spaces;
- Check your audit logs: periodically for activity you don’t recognise, and contact support@nookal.com immediately if something looks wrong.
Reliability
- High availability: Platform built for resilience and horizontal scalability.
- Backups and disaster recovery: Documented BCP/DR procedures; testing performed periodically. Nookal are SOC 2 Type 2 and HIPAA verified. RTO/RPO is available on request.
- Status and uptime: See https://status.nookal.com for real‑time status and incident communications.
Privacy
We are committed to ensuring there are sufficient privacy protections provided as part of your security protocols. Our Privacy Policy and Cookies Policy provide further information on how personal information may be handled:
- Privacy program: Designed to support the Australian Privacy Principles and obligations under GDPR/UK GDPR for EEA/UK customers. See our Privacy Policy at https://www.nookal.com/legal/privacy;
- Cookies and tracking: Non‑essential cookies are set only with consent where required. See our Cookie Policy at https://www.nookal.com/legal/cookies.
Payments and PCI
- Card data handling: Nookal does not store full PAN, CVV or PIN on Nookal servers or in Nookal databases. Card entry and processing are handled by PCI DSS validated payment processors using hosted, tokenised or processor‑controlled payment flows (our current partners being Stripe, Tyro and PayPal, as amended from time to time);
- Validation: We complete annual PCI DSS validation appropriate to our payment flows (e.g., SAQ A/A‑EP) and maintain secure development, access controls, and vulnerability management processes;
- Documentation: Our current PCI Attestation of Compliance (AOC) is available to customers and partners upon request.
Healthcare Safeguards
- No advertising trackers in the app: We do not deploy third‑party advertising trackers in authenticated areas of the platform;
- Sensitive data: Features that may contain sensitive health information are restricted through roles, permissions and audit trails to support your compliance obligations.
Sub-processors
We work with carefully selected service providers (hosting, email, customer support, analytics, etc.), each subject to security, privacy and confidentiality obligations appropriate to the services they deliver.
The current sub-processor list: https://www.nookal.com/legal/subprocessors.
We will notify customers of material changes in accordance with our agreements.
Compliance Documents
- Data Processing Addendum (DPA),: including EU Standard Contractual Clauses (SCCs) and the UK Addendum: available on request.
- Security documentation: We may provide summary penetration test reports, vulnerability management overview, business continuity summary upon request. Such requests will be reviewed and determined by us in our sole discretion and may require a separate agreement to be signed.
- Agreements and policies: See our Terms of Service, Privacy Policy and Cookie Policy for additional information and commitments.
Report a Security Issue
We welcome reports from the security community and our customers:
- How to report: Email privacy@nookal.com with a detailed description, affected URLs/endpoints, reproduction steps, and any relevant screenshots or proofs of concept.
- Safe behaviour: Please do not access, modify, or delete data that does not belong to you, and do not perform actions that could degrade service (e.g., brute force, DoS, or social engineering).
- Our commitment: We aim to acknowledge reports within 7 business days and will keep you informed as we triage and remediate. We do not currently run a public bug bounty program.
Contact
- Security and privacy inquiries: privacy@nookal.com
- General support: support@nookal.com
Questions? Contact privacy@nookal.com for privacy and compliance enquiries, or support@nookal.com for product support.