Vendor Security Questionnaire
Pre-filled responses to the standard IT security questionnaire issued by university and hospital IT departments when assessing third-party software vendors. Completed by OpenBook Clinical Pty Ltd (ABN 86 679 963 681).
Save as PDF: Print this page (Ctrl+P / Cmd+P) and select “Save as PDF” to generate a document suitable for your institutional records or IT department submission.
1. Company & Product
Q: What is the product and what does it do?
Q: Who operates the product?
Q: Where is data processed?
Q: Is this a SaaS product?
Q: Is the product intended for clinical use by patients?
2. Data Classification
Q: Does the system store patient data?
Q: What personal data is stored?
Q: Is the data de-identified?
Q: What is the data classification of information processed?
Q: Does the platform use data for AI model training?
3. Security Controls
Q: Encryption in transit?
Q: Encryption at rest?
Q: What access controls are in place?
Q: Has a penetration test been conducted?
Q: Is there a vulnerability disclosure policy?
Q: What logging and monitoring is in place?
Q: What is the patch management approach?
4. Compliance
Q: Is the product compliant with the Australian Privacy Act 1988 (Cth)?
Q: Is the product subject to the Notifiable Data Breaches (NDB) scheme?
Q: Is the product compliant with GDPR?
Q: Is the product classified as a medical device (SaMD) under the TGA?
Q: Does the product have IRAP assessment?
Q: What is the governing law?
5. Sub-processors
Q: Please list all sub-processors and their locations.
- Supabase Inc. — Database and authentication. Data location: Australia (AWS ap-southeast-2, Sydney). Certification: SOC 2 Type II.
- Anthropic PBC — AI query processing (Claude API). Data location: United States. Zero-data-retention. Certification: SOC 2 Type II.
- Vercel Inc. — Web hosting and CDN. Data location: Global (primary US). Certification: SOC 2 Type II.
- Stripe Inc. — Payment processing. Data location: United States. Certification: PCI DSS Level 1.
- Postmark (ActiveCampaign) — Transactional email. Data location: United States. Certification: SOC 2 Type II.
Q: How are sub-processor changes notified?
6. Business Continuity
Q: What is the Recovery Time Objective (RTO)?
Q: What is the Recovery Point Objective (RPO)?
Q: What happens to data if OpenBook Clinical ceases operation?
Q: Is there a disaster recovery plan?
OpenBook Clinical Pty Ltd · ABN 86 679 963 681 · Sydney, NSW, Australia