Built for Security.
Designed for Compliance.
BloomSenzAI platforms handle sensitive health data for children, families, and pets. Compliance isn't an afterthought — it's foundational to every line of code, every API endpoint, and every data flow in our systems.
Shared Compliance Framework
These standards apply across both Innerwork and BloomPaws, ensuring every platform meets the same rigorous security and privacy bar.
SOC 2 Type II
Our infrastructure and operations are built to meet SOC 2 Trust Service Criteria. We implement continuous monitoring of security controls, access management, change management, and incident response across all BloomSenzAI platforms.
- ✓Annual independent third-party audits
- ✓Continuous control monitoring via automated tooling
- ✓Least-privilege access with MFA enforcement
- ✓Encrypted data at rest (AES-256) and in transit (TLS 1.3)
- ✓Formal incident response and business continuity plans
General Data Protection Regulation (GDPR)
Both Innerwork and BloomPaws are designed with privacy-by-design principles. We provide full GDPR compliance for organisations operating in the EU/EEA or handling data of EU residents.
- ✓Lawful basis for processing (consent, contract, legitimate interest)
- ✓Right to access, rectification, erasure, and data portability
- ✓Data Processing Agreements (DPAs) available for all customers
- ✓Data residency options — AU, EU, and US regions
- ✓Appointed Data Protection Officer (DPO)
- ✓72-hour breach notification procedures
ISO 27001 Information Security
Our information security management system (ISMS) is aligned with ISO 27001 controls. We maintain documented policies, risk assessments, and security controls across all platforms.
- ✓Formal information security policy and risk register
- ✓Periodic risk assessments and treatment plans
- ✓Employee security awareness training
- ✓Vendor and third-party security assessments
- ✓Physical and logical access controls
Payment Card Industry Data Security Standard
All payment processing across both platforms is handled via PCI DSS Level 1 certified providers (Razorpay, Stripe). No card data is ever stored, processed, or transmitted by BloomSenzAI servers.
- ✓Tokenized payment processing via certified gateways
- ✓No card data stored on BloomSenzAI infrastructure
- ✓Strong Customer Authentication (SCA) support
- ✓Secure webhook verification for payment events
Healthcare & Therapy Compliance
Innerwork handles Protected Health Information (PHI) for children and families. These regulations are specifically addressed in our therapy platform.
HIPAA — Health Insurance Portability & Accountability Act
Innerwork is HIPAA-ready for therapy centres handling Protected Health Information (PHI). Our platform implements the full spectrum of HIPAA Technical, Administrative, and Physical Safeguards.
- ✓Business Associate Agreements (BAAs) for all customers
- ✓End-to-end encryption for PHI in transit and at rest
- ✓Role-based access control (RBAC) with audit trails
- ✓Automatic session timeouts and re-authentication
- ✓PHI access logging with tamper-evident audit logs
- ✓Secure messaging between therapists and parents
- ✓Data backup and disaster recovery procedures
FERPA — Family Educational Rights & Privacy Act
For therapy centres operating within educational settings (school-based therapy, early intervention), Innerwork supports FERPA compliance by protecting student education records and therapy progress data.
- ✓Parental consent management for student data access
- ✓Restricted access to student therapy records
- ✓Integration-ready with school district identity providers
- ✓Data deletion upon request from educational agencies
COPPA — Children's Online Privacy Protection Act
Innerwork handles data of children under 13 through the parental consent model. The child never directly provides personal information — all data flows through the authenticated parent or therapist.
- ✓Parental control system with policy enforcement
- ✓No direct data collection from children
- ✓Parent-controlled device mode with usage tracking
- ✓Verifiable parental consent before child data processing
- ✓Minimal data collection principle for child profiles
India Digital Personal Data Protection Act, 2023
For therapy centres operating in India, Innerwork complies with the DPDP Act provisions for processing personal data of children and health-related data.
- ✓Consent-based data processing with purpose limitation
- ✓Right to correction and erasure of personal data
- ✓Guardian consent for processing child data (under 18)
- ✓Data localisation support for Indian customers
- ✓Grievance redressal mechanism
Australian Privacy Act 1988 & APPs
As an Australian company, BloomSenzAI fully complies with the Australian Privacy Act and the 13 Australian Privacy Principles (APPs) governing the collection, use, and disclosure of personal information.
- ✓Compliance with all 13 Australian Privacy Principles
- ✓Transparent privacy policy and collection notices
- ✓Cross-border data transfer protections
- ✓Notifiable Data Breach (NDB) scheme compliance
Veterinary & Pet Care Compliance
BloomPaws handles veterinary records, pet owner personal data, and pharmacy workflows — each with specific regulatory requirements.
Veterinary Record-Keeping Standards
BloomPaws maintains electronic veterinary records in accordance with veterinary board requirements across supported jurisdictions — including vaccination histories, treatment records, and prescription logs.
- ✓Structured electronic medical records (EMR) for animals
- ✓Vaccination schedule tracking with regulatory compliance
- ✓Prescription and controlled substance audit trails
- ✓Record retention policies aligned with veterinary board requirements
Pet Owner Data Privacy
BloomPaws protects the personal information of pet owners — contact details, payment information, and appointment history — under GDPR, Australian Privacy Act, and applicable local privacy regulations.
- ✓Consent-based communication and marketing
- ✓Secure pet owner portals with individual authentication
- ✓Data minimisation — only essential data collected
- ✓Owner-controlled data sharing with clinics
Veterinary Pharmacy & E-Commerce
BloomPaws e-commerce and pet product shop modules are designed to comply with veterinary pharmacy regulations, ensuring that prescription products require verified veterinary authorisation.
- ✓Prescription product gating with vet authorisation workflow
- ✓Product classification and restricted item controls
- ✓Audit trail for prescription product orders
- ✓Age-appropriate product recommendations
How We Keep Your Data Safe
Security controls that power compliance across every BloomSenzAI platform.
Authentication
JWT + HttpOnly cookies, MFA support, session management, parent PIN for child device mode
Encryption
AES-256 at rest, TLS 1.3 in transit, field-level encryption for sensitive health data
Audit Logging
Immutable audit trails for every data access, policy change, and administrative action
Access Control
Role-based access (Admin, Therapist, Parent, Child) with granular permissions per entity
Data Residency
Choose your data region — AWS Sydney (AU), Frankfurt (EU), or Virginia (US)
Backup & Recovery
Automated daily backups with point-in-time recovery. 99.9% uptime SLA
Penetration Testing
Annual third-party penetration testing with remediation SLAs
Monitoring
24/7 infrastructure monitoring, anomaly detection, and automated alerting
Questions About Compliance?
Our security and compliance team is available to discuss your specific requirements, provide documentation, or set up a DPA for your organisation.
Start Your Free Trial or Book a Demo
Whether you run a therapy centre or a vet clinic — we'd love to show you what BloomSenzAI can do.