For the user, confidentiality and security is infused throughout Halaxy so that you can be confident that you’re managing access to your data correctly. Examples include:
Extensive user access levels, with four levels for practitioners and three levels for administrative staff, including a number of specific options within each level dependent upon the particular user;
anonymisation of invoices and finance reports, so that you can provide invoices and reports to funding bodies and accountants without breaching confidentiality.
Halaxy service staff cannot see sensitive information; when Halaxy service staff access your account to assist with service queries, all confidential details are randomised or removed. If Halaxy staff need to assist with regard to a particular patient, they will ask for an anonymous patient ID rather than a patient's name.
Internally, Halaxy is operated from Melbourne, and data for Australian practitioners is stored within Australia in securely protected data centres with multiple backups in place. This data is protected by 256-bit bank grade security and encryption, meaning patient records, notes, and payment information are protected to the same level required by Australian banks.
For practitioners in the EU, data is stored in the EU in accordance with GDPR requirements. This data is also protected by 256-bit bank grade encryption, with multiple backups in place.
Access to data is restricted, patient and practitioner data is anonymised, and data transmissions are encrypted. In the event of a data breach, an internal policy and response plan has been prepared in accordance with the Notifiable Data Breaches Scheme.
Halaxy's payments gateway is powered by Braintree in Australia and Hyperwallet in the EU. Both are subsidiaries of PayPal, who as one of the world's largest payments providers are protected by bank-grade encryption and world-class security protocols.
When a patient's or client's card details are entered into Halaxy, they are stored and tokenised by Halaxy's payments gateway. This means that once initially entered and captured, card details are not visible to anybody within the clinic or at Halaxy and cannot be retrieved by Halaxy. If card details need to be altered or updated, this requires the card to be completely re-entered, as a tokenised card is unable to be edited.
In addition, Halaxy features a customisable authorised payment limit for transactions at which point the cardholder is required to enter a verification code via SMS to authorise the transaction. This not only protects cardholders from unauthorised transactions, it also lowers the risk of disputed payments because the cardholder is required to actively authorise the payment.
Data you enter into Halaxy may be disclosed to third parties for the purpose of providing you a service (for example, to send SMS reminders we must provide patients' mobile phone numbers to our SMS provider). Halaxy does not and has never used or disclosed identifiable patient data to third parties except in the provision of such a service.
Note that some of our integrations with sub-processors, such as with Xero accounting software, may result in data being stored overseas due to those companies operating in other territories. Therefore if a practitioner integrates their Halaxy account with Xero, their data could go offshore to the USA, which is one of the reasons why we allow practitioners to remove names when they are syncing with Xero. This is unique in the market and another way we help practitioners protect their patients and clients' privacy.