Version 2025
This article explains how Careview meets
NDIA cyber-security and data-residency requirements for NDIS plan managers. It
may be provided directly to NDIA auditors or compliance assessors.
Careview is hosted on Microsoft Azure in Australian datacentres
only.
Careview
infrastructure and customer data are hosted exclusively in:
- Australia East (Sydney)
- Australia Southeast (Melbourne)
These Azure
regions are IRAP-assessed for Australian Government workloads.
All backups,
replicas and disaster-recovery systems remain within Australian Azure regions.
The following data
always remains fully on-shore:
- NDIS participant information
- Customer operational data
- Documents and attachments
- Database records
- Audit logs
- Backups and archival data
Careview does not
store or process NDIS participant data outside Australia.
As with
all modern cloud platforms, some non-identifying operational telemetry handled
by Microsoft Azure (such as system health signals, routing metadata, or global
performance metrics) may be processed offshore.
This
telemetry never includes:
- NDIS participant information
- Any personally identifiable
information
- Any NDIA-related data
- Any customer documents or
content stored in Careview
This is
normal and accepted under NDIA, NDIS Practice Standards, and Australian
Government Information Security Manual expectations.
All connections to
Careview use:
- HTTPS
- TLS 1.2 or TLS 1.3
- AES-256-GCM or AES-128-GCM
cipher suites
- Ephemeral ECDHE/DHE key
exchange
- SHA-256 or SHA-384 hashing
Legacy protocols
(SSL, TLS 1.0, TLS 1.1) are disabled.
Careview data is
encrypted at rest using:
- AES-256 for databases
- AES-256 for file storage
- AES-256 for backups and managed
disks
Careview uses RSA-SHA256 TLS
certificates issued by a recognised Certificate Authority. Azure Front Door and
App Service enforce modern cipher suites and perfect-forward secrecy.
Careview
enforces strict least-privilege access:
- Role-based access control
- Segregated environments
(production vs non-production)
- Operational access restricted
to authorised personnel
- No access to customer data
unless explicitly authorised and logged
Careview infrastructure
operates inside private Azure virtual networks. Internal services communicate
over Microsoft’s secure internal backbone rather than the public internet.
Careview logs:
- User logins and access
- Changes to participant records
- Administrative actions
- System-level events
Logs are stored
securely within Australia.
Careview
uses Azure-native monitoring and alerting and maintains incident-response
procedures aligned with NDIA expectations.
Your organisation may provide the following statement to auditors:
Careview, our CRM provider, hosts all NDIS participant and customer
data exclusively within Australian Microsoft Azure datacentres (Australia East
and Australia Southeast). All backups and redundancy systems also remain within
Australia. No NDIS participant information or personally identifiable data is
stored or processed offshore.
Careview enforces encryption in transit using TLS 1.2 or TLS 1.3
with modern AES-GCM cipher suites and forward-secret key exchange. All data
stored within Careview is encrypted at rest using AES-256.
Careview applies a least-privilege operational model, private
network isolation, secure Microsoft Azure service-to-service routing, and audit
logging of user activity. Careview’s Azure platform is IRAP-assessed for
government workloads and meets NDIA data-residency and cyber-security
expectations.
5. Summary
Careview satisfies NDIA expectations
for:
- Australian-only storage of NDIS
participant data
- Encryption at rest (AES-256)
- Encryption in transit (TLS
1.2/1.3)
- Modern ISM-aligned cryptography
- Network isolation and platform
segmentation
- Least-privilege operational
access
- Audit logging and monitoring
- Secure Microsoft Azure
infrastructure
This KB article may be provided to auditors, the
NDIA, or internal compliance teams.