Surely is SOC 2 compliant, end-to-end encrypted, and designed from the ground up to handle personally identifiable health information in accordance with New Zealand law.
Independent audit of security, availability & confidentiality
All data encrypted in transit with time-limited access links
Certified for personally identifiable health information
Surely's platform is hosted on enterprise-grade cloud infrastructure with multiple availability zones. All data is encrypted at rest and in transit using industry-standard encryption protocols. Our infrastructure is continuously monitored for anomalous access patterns and availability.
Access to health records is governed by explicit, documented patient consent. Reports are delivered via time-limited presigned URLs. Access expires automatically after delivery. We minimise unnecessary PII on public-facing endpoints.
Surely operates in accordance with all applicable New Zealand health information legislation and international security standards:
Surely connects to clinic Practice Management Systems via the Medtech ALEX FHIR API, a standards-based, authenticated integration. Clinic credentials are never stored by Surely. Tokens are issued per-request and scoped precisely to the authorised consent event. No data beyond the consented scope is accessed or retained.
Health records retrieved through Surely are not stored beyond the period required to deliver the report to the requesting party. Once delivery is confirmed, access is revoked and data is purged in accordance with our retention schedule. Audit logs are maintained separately and retained for compliance purposes.
If you discover a security vulnerability in Surely's platform, please report it responsibly to hello@surely.co.nz. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.
For security enquiries, contact us at hello@surely.co.nz or write to Surely Ltd, Level 4, 40 Taranaki Street, Wellington 6011, New Zealand.