exora exora
Product
How It Works Features Technology Supported Documents Pricing
Company
About Exora Our Mission Careers Contact
Resources
Blog FAQ Guides Community Changelog
Security
Sign In Get Started

Language and Region

English 6
Australia Australia New Zealand New Zealand United Kingdom United Kingdom Ireland Ireland Canada Canada United States United States
Espanol 19
Espana Espana Mexico Mexico Argentina Argentina Colombia Colombia Chile Chile Peru Peru Venezuela Venezuela Ecuador Ecuador Guatemala Guatemala Cuba Cuba Bolivia Bolivia Republica Dominicana Republica Dominicana Honduras Honduras Paraguay Paraguay El Salvador El Salvador Nicaragua Nicaragua Costa Rica Costa Rica Panama Panama Uruguay Uruguay
Francais 2
France France Canada Canada
Portugues 2
Brasil Brasil Portugal Portugal
Currently: English (Canada)

Trust Centre

Your health data deserves the highest standard of protection. Here is how exora keeps it safe.

Australian Data Residency Stored in Sydney, never leaves AU
AES-256 Encryption At rest and in transit
Row-Level Security Database-enforced data isolation
Passwordless Auth No passwords to steal or forget
No Data Selling Your data is never monetized

Data protection

Data residency

All data is stored in Sydney, Australia on Australian-hosted infrastructure. Your health data never leaves Australian jurisdiction. This includes your documents, extracted health records, and personal information.

Encryption

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Documents, health records, and personal information are protected by industry-standard cryptography at every stage.

Access and authentication

Access control

Every database query is scoped to the authenticated user through row-level security policies. This is enforced at the database level, not just the application layer. No user can access another user's data - including exora staff.

Authentication

Passwordless sign-in via one-time codes sent to your email or phone. No passwords to steal, leak, or forget. Optional biometric app lock with Face ID, Touch ID, or fingerprint provides an additional layer of protection.

AI processing and your data

Your documents are processed by AI to extract and structure health information. We use Google Gemini and OpenAI models, selected for each stage of our pipeline based on accuracy and capability.

No training on your data

Under our paid commercial API agreements, your health data is never used for AI model training by any provider.

Transient processing

Data is processed and returned. AI providers do not retain your health data beyond the immediate processing request.

Australian infrastructure

Our processing infrastructure is hosted in Sydney, Australia. AI model inference is handled by Google, OpenAI, and Anthropic via their commercial APIs. Data is transmitted securely and is not retained by these providers.

You own your data. Always.

exora is a custodian, not an owner. You decide who sees your data, how it is shared, and when it is deleted. Delete your account and all your data is permanently removed within 30 days. No questions. No retention. No exceptions.

Compliance

Australian Privacy Act

Designed to comply with the Australian Privacy Principles (APPs) including enhanced protections for health information.

Notifiable Data Breaches

Documented incident response plan covering detection, containment, notification to OAIC and affected users.

Pursuing ISO 27001

Working towards international information security management certification.

HIPAA Readiness

Building towards HIPAA compliance for future international expansion.

Subprocessors

Third-party partners who help us securely process your data.

Supabase
Database, authentication, file storage
Sydney, Australia
Google Cloud
Cloud Run worker, infrastructure
Sydney, Australia
Google Gemini
AI models for document processing
Sydney, Australia
OpenAI
AI models for clinical extraction and chat
United States
Anthropic
AI models for clinical processing
United States
Vercel
Web application hosting
Global CDN
Resend
Transactional email delivery
United States
Twilio
SMS delivery (OTP codes)
United States
Formspree
Contact form submissions
United States

All providers operate under data processing agreements. For a complete list or to request our DPA, contact hello@exora.au

Need more detail?

If you are evaluating exora for a partnership, integration, or procurement process, we can provide additional security documentation on request.

Contact us

See also: Privacy Policy | Terms of Service | Cookie Policy