Built for Security.
Designed for Compliance.
BloomSenzAI platforms handle sensitive health data for children, families, and pets. Compliance isn't an afterthought โ it's foundational to every line of code, every API endpoint, and every data flow in our systems.
Shared Compliance Framework
These standards apply across both Innerwork and BloomPaws, ensuring every platform meets the same rigorous security and privacy bar.
SOC 2 Type II
Our infrastructure and operations are built to meet SOC 2 Trust Service Criteria. We implement continuous monitoring of security controls, access management, change management, and incident response across all BloomSenzAI platforms.
- โAnnual independent third-party audits
- โContinuous control monitoring via automated tooling
- โLeast-privilege access with MFA enforcement
- โEncrypted data at rest (AES-256) and in transit (TLS 1.3)
- โFormal incident response and business continuity plans
General Data Protection Regulation (GDPR)
Both Innerwork and BloomPaws are designed with privacy-by-design principles. We provide full GDPR compliance for organisations operating in the EU/EEA or handling data of EU residents.
- โLawful basis for processing (consent, contract, legitimate interest)
- โRight to access, rectification, erasure, and data portability
- โData Processing Agreements (DPAs) available for all customers
- โData residency options โ AU, EU, and US regions
- โAppointed Data Protection Officer (DPO)
- โ72-hour breach notification procedures
ISO 27001 Information Security
Our information security management system (ISMS) is aligned with ISO 27001 controls. We maintain documented policies, risk assessments, and security controls across all platforms.
- โFormal information security policy and risk register
- โPeriodic risk assessments and treatment plans
- โEmployee security awareness training
- โVendor and third-party security assessments
- โPhysical and logical access controls
Payment Card Industry Data Security Standard
All payment processing across both platforms is handled via PCI DSS Level 1 certified providers (Razorpay, Stripe). No card data is ever stored, processed, or transmitted by BloomSenzAI servers.
- โTokenized payment processing via certified gateways
- โNo card data stored on BloomSenzAI infrastructure
- โStrong Customer Authentication (SCA) support
- โSecure webhook verification for payment events
Healthcare & Therapy Compliance
Innerwork handles Protected Health Information (PHI) for children and families. These regulations are specifically addressed in our therapy platform.
HIPAA โ Health Insurance Portability & Accountability Act
Innerwork is HIPAA-ready for therapy centres handling Protected Health Information (PHI). Our platform implements the full spectrum of HIPAA Technical, Administrative, and Physical Safeguards.
- โBusiness Associate Agreements (BAAs) for all customers
- โEnd-to-end encryption for PHI in transit and at rest
- โRole-based access control (RBAC) with audit trails
- โAutomatic session timeouts and re-authentication
- โPHI access logging with tamper-evident audit logs
- โSecure messaging between therapists and parents
- โData backup and disaster recovery procedures
FERPA โ Family Educational Rights & Privacy Act
For therapy centres operating within educational settings (school-based therapy, early intervention), Innerwork supports FERPA compliance by protecting student education records and therapy progress data.
- โParental consent management for student data access
- โRestricted access to student therapy records
- โIntegration-ready with school district identity providers
- โData deletion upon request from educational agencies
COPPA โ Children's Online Privacy Protection Act
Innerwork handles data of children under 13 through the parental consent model. The child never directly provides personal information โ all data flows through the authenticated parent or therapist.
- โParental control system with policy enforcement
- โNo direct data collection from children
- โParent-controlled device mode with usage tracking
- โVerifiable parental consent before child data processing
- โMinimal data collection principle for child profiles
India Digital Personal Data Protection Act, 2023
For therapy centres operating in India, Innerwork complies with the DPDP Act provisions for processing personal data of children and health-related data.
- โConsent-based data processing with purpose limitation
- โRight to correction and erasure of personal data
- โGuardian consent for processing child data (under 18)
- โData localisation support for Indian customers
- โGrievance redressal mechanism
Australian Privacy Act 1988 & APPs
As an Australian company, BloomSenzAI fully complies with the Australian Privacy Act and the 13 Australian Privacy Principles (APPs) governing the collection, use, and disclosure of personal information.
- โCompliance with all 13 Australian Privacy Principles
- โTransparent privacy policy and collection notices
- โCross-border data transfer protections
- โNotifiable Data Breach (NDB) scheme compliance
Veterinary & Pet Care Compliance
BloomPaws handles veterinary records, pet owner personal data, and pharmacy workflows โ each with specific regulatory requirements.
Veterinary Record-Keeping Standards
BloomPaws maintains electronic veterinary records in accordance with veterinary board requirements across supported jurisdictions โ including vaccination histories, treatment records, and prescription logs.
- โStructured electronic medical records (EMR) for animals
- โVaccination schedule tracking with regulatory compliance
- โPrescription and controlled substance audit trails
- โRecord retention policies aligned with veterinary board requirements
Pet Owner Data Privacy
BloomPaws protects the personal information of pet owners โ contact details, payment information, and appointment history โ under GDPR, Australian Privacy Act, and applicable local privacy regulations.
- โConsent-based communication and marketing
- โSecure pet owner portals with individual authentication
- โData minimisation โ only essential data collected
- โOwner-controlled data sharing with clinics
Veterinary Pharmacy & E-Commerce
BloomPaws e-commerce and pet product shop modules are designed to comply with veterinary pharmacy regulations, ensuring that prescription products require verified veterinary authorisation.
- โPrescription product gating with vet authorisation workflow
- โProduct classification and restricted item controls
- โAudit trail for prescription product orders
- โAge-appropriate product recommendations
How We Keep Your Data Safe
Security controls that power compliance across every BloomSenzAI platform.
Authentication
JWT + HttpOnly cookies, MFA support, session management, parent PIN for child device mode
Encryption
AES-256 at rest, TLS 1.3 in transit, field-level encryption for sensitive health data
Audit Logging
Immutable audit trails for every data access, policy change, and administrative action
Access Control
Role-based access (Admin, Therapist, Parent, Child) with granular permissions per entity
Data Residency
Choose your data region โ AWS Sydney (AU), Frankfurt (EU), or Virginia (US)
Backup & Recovery
Automated daily backups with point-in-time recovery. 99.9% uptime SLA
Penetration Testing
Annual third-party penetration testing with remediation SLAs
Monitoring
24/7 infrastructure monitoring, anomaly detection, and automated alerting
Questions About Compliance?
Our security and compliance team is available to discuss your specific requirements, provide documentation, or set up a DPA for your organisation.
Start Your Free Trial or Book a Demo
Whether you run a therapy centre or a vet clinic โ we'd love to show you what BloomSenzAI can do.