How we handle your data, care, and the rules around it.

WellBeingOS reads what it needs from your plan manager, the NDIA's PACE APIs, and the worker side of each booking. We keep it inside Australia and we do not sell it.

• What we hold: your participant ID and demographics (shared by your plan manager), your plan budget snapshot, booking history, claim status, and the messages you exchange with ARIA.
• What we do not hold: NDIS pricing decisions we have not made, health records outside what a booking requires, payment instruments (claims sweep through the plan manager).
• Where it lives: Australian data residency on Google Cloud (region australia-southeast1). No cross-border processing.
• Who can see it: you, your nominated plan manager, and the workers assigned to your bookings. Access is logged.
• Third-party trackers on this site: none. No Google Analytics, no Hotjar, no Meta pixel. The page you are reading does not send your IP to anyone except our origin server.

Built to be auditable on a Tuesday afternoon, not the week before the audit.

• Encryption: TLS 1.3 in transit, AES-256 at rest on all Firestore, Cloud Storage, and Secret Manager objects.
• Tenant isolation: every provider org has its own B2B device credentials for the NDIA APIs, stored as separate secrets and scoped by IAM. We do not multiplex tenants through a shared platform key.
• Authentication: myID + RAM for NDIA-bound flows. Multi-factor authentication on every staff account.
• Audit trail: every booking, claim, edit and admin action is signed and time-stamped. Exportable in minutes.
• Vulnerability practice: patch SLA inside seven days for critical CVEs. Dependency scanning on every pull request.

The customer app is co-read more often than apps designed for one cognitive owner. Plain English at Hemingway grade six or lower.

• Contrast: 4.5:1 minimum for text, 7:1 (AAA) on the numeric surface (projected balance, pending claims, last-synced).
• Touch targets: 44 × 44 px minimum on tap.
• Screen readers: every interactive element has an aria-label or labelled-by relationship. We test against VoiceOver on iOS and macOS as part of each release.
• Reduced motion: the wave drift, the breathing live dot, the ink-wipe scene transitions, the number tweens. All honour prefers-reduced-motion: reduce.
• Keyboard navigation: every form, scrubber, and timeline day is operable from the keyboard. Focus rings are visible (3px ring, teal).
• Language register: no NDIA category codes, no PACE / legacy jargon, no tier vocabulary. Translation handled at the boundary so participants never see it.

The platform is built around the NDIA's actual integration surfaces and the practical rules each registered provider has to clear.

• 25DPP APIs wired in6Gate booking check7Day patch SLA on critical CVEs
• NDIS Practice Standards:worker screening, service rules, price-guide caps, and claim eligibility encoded into the platform's six-gate booking check. A booking that fails any gate cannot reach the worker's phone.
• Worker screening: NDIS Worker Check, AHPRA registration, First Aid, CPR. Verified at onboarding, watched daily, renewed before lapse.
• NDIA integration: 25 DPP APIs wired in (plan retrieval, claim submission, MyProviders polling, support-item validation). Per provider org B2B credentials, never a shared platform key.
• MyProviders endorsement: a participant action with the NDIA, not something the platform initiates. We poll for the endorsement to land, then unlock stated-category bookings (SDA, Home & Living, Behaviour Support).
• Money flow: claims sweep directly from the NDIA to the plan manager or self-managed participant. WellBeingOS never sits on participant funds.
• Data residency: Australian Google Cloud region. Aligns with APP 8 and the NDIS Privacy Code.