Data Security
We access sensitive financial and operational data from dental practices. This page explains exactly what we access, where it goes, who can see it, and what happens when you leave.
Documentation
Everything you need to verify our data handling practices before granting access to any of your systems.
One-page overview
A single-page summary of what we access, where your data is stored, how we protect it, and your rights. Share it with your accountant, business partner, or anyone who needs to understand our security posture.
Download PDFContractual agreement
The formal agreement that governs how we handle your data. Covers scope, security controls, breach notification, sub-processors, retention, deletion, and your audit rights. Signed as part of onboarding.
Download DOCXData lifecycle
From your systems to our platform to the reports you receive. Every step is controlled, encrypted, and auditable.
We connect to your Xero via OAuth 2.0 with granular scopes. We request only the specific permissions we need. At Tier 3+, we extract data from your practice management software using a lightweight local agent that reads your database and sends it to our platform over HTTPS. We store those credentials in Azure Key Vault.
Data lands in our Azure environment hosted in the Australia East region (Sydney). It is normalised and tagged to your practice. Each practice is isolated at the database layer using row-level security. Your data cannot be queried alongside or mixed with any other practice.
Our intelligence layer generates KPIs and detects anomalies. All financial calculations (GST, BAS, reconciliations, payroll) are deterministic: computed by rules engines, not by AI. AI assists with pattern detection and communication drafting only.
Intelligence reaches you via WhatsApp, SMS, or email. Human review is required before any payment, journal, BAS lodgement, or material advice is actioned. Humans approve. Machines do not.
Infrastructure
All infrastructure runs in the Azure Australia East region (Sydney). This includes application servers, databases, blob storage, and message queues. Data at rest is encrypted with AES-256. Data in transit uses TLS 1.2 or higher. No data leaves Australia.
AI capabilities are delivered through Azure OpenAI Service deployed in the Australia East region. Your data is processed within Microsoft's Azure environment. It is not available to OpenAI. It is not used to train any Microsoft or OpenAI models. It is not shared with other customers. Prompts and responses are not stored by the AI service after processing.
Team access is governed by Azure Entra ID with multi-factor authentication enforced. Secrets and credentials are stored in Azure Key Vault. All access events are logged to an immutable audit trail. Access is reviewed quarterly.
What we access
We request only the granular Xero OAuth scopes we need for your tier. We never request blanket access.
| Data type | Source | How we access it | Tier |
|---|---|---|---|
| Invoices, bills, credit notes, payments, bank transactions | Xero Accounting API | OAuth 2.0, accounting.transactions scope | All tiers |
| Chart of accounts, tax rates, tracking categories | Xero Accounting API | OAuth 2.0, accounting.settings scope | All tiers |
| Journal entries (system-generated) | Xero Accounting API | OAuth 2.0, accounting.journals.read scope | All tiers |
| Contacts (suppliers, patients as debtors) | Xero Accounting API | OAuth 2.0, accounting.contacts scope | All tiers |
| P&L, balance sheet, trial balance, BAS report, aged receivables, aged payables, bank summary | Xero Accounting API (Reports) | OAuth 2.0, accounting.reports.read scope | All tiers |
| Fixed assets, depreciation schedules, asset types | Xero Assets API | OAuth 2.0, assets scope | All tiers |
| Employee records, pay runs, leave, STP | Xero Payroll API (AU) | OAuth 2.0, payroll.employees + payroll.payruns + payroll.settings scopes | Tier 2+ |
| File attachments on transactions | Xero Files API | OAuth 2.0, files scope | Tier 2+ |
| Appointments, scheduling, bookings | D4W / PMS | Local read-only extraction via sync agent | Tier 3+ |
| Patient name, contact, recall status | D4W / PMS | Local read-only extraction via sync agent | Tier 3+ |
| Treatment plans (accepted/pending/declined) | D4W / PMS | Local read-only extraction via sync agent | Tier 3+ |
| Provider schedules, chair utilisation | D4W / PMS | Local read-only extraction via sync agent | Tier 3+ |
| Clinical notes, medical histories | D4W / PMS | -- | Never |
| X-rays, imaging, clinical records | D4W / PMS | -- | Never |
| Patient health information (diagnosis, treatment notes) | Any | -- | Never |
How we protect it
All data is processed and stored in the Azure Australia East region (Sydney). AI processing runs through Azure OpenAI deployed in the same region. We do not transmit your data overseas. Your data is subject to Australian law and the Australian Privacy Act 1988.
Xero access uses OAuth 2.0 with granular read-only scopes. Practice management system access uses a dedicated SQL account with SELECT-only permissions, read locally by our sync agent. We do not modify your data. The one exception: at Tier 2+, we may process transactions in Xero as part of your AP/AR workflow, but only with your explicit approval per transaction or per payment run.
We use Azure OpenAI Service, not consumer OpenAI. Your prompts and outputs are not available to other customers. They are not available to OpenAI. They are not used to train any Microsoft or OpenAI model. They are not stored after processing. The AI runs inside Microsoft's Azure infrastructure, sandboxed from the public internet and from other tenants.
Every record is tagged with a clinic identifier. Row-level security is enforced at the database layer. There is no scenario in which one practice's data can be seen by, queried alongside, or mixed with another practice's data. This is enforced architecturally.
Data at rest uses AES-256 encryption via Azure Storage Service Encryption. Data in transit uses TLS 1.2 or higher. Database connections to your practice management system use encrypted channels. Secrets are managed in Azure Key Vault.
Xero access is established through OAuth 2.0. We never see or store your Xero password. The connection token is revocable by you at any time from within Xero. For practice management system connections, we use dedicated read-only accounts created specifically for our service, with credentials stored in Azure Key Vault.
AI assists with analysis, pattern detection, and communication drafting. AI does not have unsupervised authority to move money, post journals, lodge BAS, or take any action with financial consequence. Financial calculations are deterministic: computed by rules engines, not by language models. Every material action requires human review and explicit approval.
Team access is governed by Azure Entra ID with role-based access control and mandatory multi-factor authentication. Every access event is logged to an immutable audit trail. Access is scoped to the specific data required for the service being delivered and is reviewed quarterly.
In the event of a data breach affecting your data, we will notify you within 72 hours and comply with the Notifiable Data Breaches (NDB) scheme under the Australian Privacy Act. We will tell you what happened, what data was affected, and what we are doing about it.
If you terminate the engagement, we delete your data within 90 days unless a longer retention period is legally required. You can revoke Xero access immediately from within your own Xero account. There is no lock-in, no exit fee, and no data extraction charge.
Compliance
Our platform is designed to comply with the privacy and data protection requirements of the jurisdictions we serve.
We comply with the Australian Privacy Act 1988 and the 13 Australian Privacy Principles (APPs). This governs how we collect, use, disclose, store, and dispose of personal information. We comply with the Notifiable Data Breaches scheme. All data is stored in Australia. Our principal, Jovi Sia, is a CPA Australia member.
For practices operating in Singapore, we comply with the PDPA and its 2020 amendments. This includes the consent obligation (we collect only what is necessary and with explicit consent), purpose limitation (data is used only for the services described in our engagement terms), protection obligation (reasonable security arrangements including encryption and access controls), and the transfer limitation obligation (data transferred from Singapore to Australia is protected to a standard comparable to the PDPA, satisfied by our contractual data protection terms and Azure's enterprise security framework). We support the requirement to appoint a Data Protection Officer and maintain data protection policies.
Siace Partners is designed to support accounting and advisory partnerships across Australian and Singaporean jurisdictions. PDPA compliance is built in from day one to support cross-border partner and client engagements.
Our infrastructure runs on Microsoft Azure, which holds ISO 27001, SOC 2 Type II, and IRAP (Information Security Registered Assessors Program) certifications relevant to Australian government and healthcare workloads. Azure OpenAI Service inherits these certifications within the Azure trust boundary.
Shared responsibility
Keep your own Xero and practice management system credentials secure. Do not share login details over email or messaging.
When a staff member leaves your practice, revoke their access to shared systems promptly. Notify us if they had any interaction with the Siace platform.
If you suspect a security incident involving any system we are connected to, notify us immediately at hello@siacepartners.com.
We are happy to walk you through our data security practices before you grant any access.
Get In Touch