Healthcare Data Security at Ecko

We treat patient data like it's our own.
Built by psychologists who understand what's at stake.

"Every design decision at Ecko starts with one question: Would I trust this with my own patient's data?"

— Marika Conomos. CEO, Founder & Psychologist

Most health platforms treat security as a compliance checkbox. We built Ecko around the belief that if you're handling someone's most vulnerable moments, security has to be architectural — not an afterthought.

Certifications & Compliance

ISO/IEC 27001

Controls implemented - formal certification underway

SOC 2

Controls implemented - formal certification underway

TGA

'Ecko for Patients' Care app is a TGA registered medical device. ARTG 527352

Australian Privacy Principles

Compliant

HIPAA

Aligned

Infrastructure

Google Cloud Platform (Sydney) — ISO 27001, 27017, 27018, SOC 2, IRAP PROTECTED
Payments: Stripe & Tyro — PCI DSS Level 1
View our Trust Portal

How we protect your data

Data Residency
All clinical data is stored exclusively in Australia on Google Cloud Platform's Sydney region, using IRAP
PROTECTED infrastructure with enforced data residency
via Assured Workloads.
Encryption
AES-256 encryption at rest. TLS 1.2+ in transit. Customer-managed encryption keys. Cell-based tenant isolation ensures no practice can ever access another's data.
AI & Privacy
Your clinical data is never used to train AI models. AI processing occurs via API with zero-data-retention
agreements. Your data goes in, your notes come out. Nothing is kept.
Payment Security
Payments are processed by Stripe and Tyro, both PCI DSS Level 1 certified. Ecko never stores, processes, or has access to card data directly.
Access Control & Monitory
Role-based access controls, audit logging, and active monitoring. Every access to patient data is logged
and reviewable.
Business Continuity
Automated backups, 2-hour recovery time objective, and disaster recovery plans tested regularly.

Enterprise Readiness

- DPA and BAA available on request
- Customer audit rights
- Dedicated account management
- Custom onboarding and data migration
- SLA: 99.9% uptime for enterprise plans

Contact us for enterprise security documentation

Contact us

FAQ

Is Ecko ISO 27001 certified?

We have implemented ~90% of ISO 27001 controls and are currently selecting our certification auditor. Our infrastructure (GCP) is fully ISO 27001 certified.

Where is my data stored?

All clinical data is stored in Sydney, Australia on IRAP PROTECTED infrastructure.

Is Ecko HIPAA compliant?

Ecko is HIPAA aligned. We serve a small number of US-based users and our controls meet HIPAA requirements.

Is my data used to train AI?

No. Your data is never used for AI training.

What happens if there's a data breach?

We have an incident response plan with a fixed time notification commitment. Details in our Trust Portal.

Can I get a DPA or BAA?

Yes. Contact us at support@eckohealth.ai