About SECUVA

Three security practitioners
who kept seeing the same
gap in healthcare.

SECUVA was not founded to build another compliance platform. It was founded because three people who spent their careers understanding how data gets exposed - and how attackers reach it - saw that healthcare data governance in Australia was broken, and that nobody building software for the problem actually understood the problem.

What brought SECUVA to life

The gap everyone knows, nobody addresses

Healthcare organisations are sharing de-identified data with AI vendors, research partners, and analytics platforms - but the de-identification is often incomplete, undocumented, and ungoverned. The Privacy Act obligation exists. The tooling to meet it at a clinical scale does not.

Built from the attack surface, not the compliance checklist

Most healthcare data tools are built from a software engineering perspective. SECUVA was designed by asking: if someone wanted to re-identify this patient, how would they do it? That question produces a different architecture than a questionnaire does.

Australian law, not retrofitted from HIPAA

The Privacy Act 1988, the My Health Records Act, and the OAIC's de-identification guidance are not HIPAA. The obligations differ. The technical requirements differ. SECUVA was built against Australian law from day one.

The difference

Built by people who know
where the real risks are.

Offensive security background

The founding team has practitioner experience in adversarial simulation - not just defending against documented threats, but reasoning about novel attack surfaces in clinical networks, PACS systems, and genomics pipelines. That perspective shapes every architectural decision.

Red team and adversarial simulation experience

Clinical network attack surface analysis

Supply chain and dependency risk modelling

Defensive architecture by design

Zero trust, outbound-only network topology, hardened secrets management, certificate pinning, cryptographically-signed audit logs - these are not features that were added. They are the consequence of designing the architecture before writing code.

Zero-trust from the network layer up

Outbound-only agent - no inbound attack surface

mTLS with certificate pinning throughout

Australian regulatory context

The Privacy Act 1988, the OAIC's de-identification guidance, the Notifiable Data Breaches scheme, and the My Health Records Act are the instruments that shaped the product. Not HIPAA. Not a US framework applied with minor modifications.

Privacy Act 1988 - APPs 3, 6, 11 alignment

OAIC de-identification technical standard

NDB scheme - 72h notification readiness

Mission

Make it safe to use
patient data for good.

There is an enormous amount of clinical value locked in healthcare data - for AI, for research, for population health. The reason it is not being used is not that organisations don't want to use it. It is that the governance infrastructure to use it safely does not exist at scale.

SECUVA's mission is to build that infrastructure - the technical layer that lets Australian healthcare organisations unlock their data for legitimate secondary uses without creating privacy risk, regulatory exposure, or audit liability.

For clinical AI

AI vendors need de-identified training data. Hospitals and imaging providers have it. SECUVA is the governed pathway between them - ensuring de-identification is documented, auditable, and legally defensible.

For research

Clinical research requires patient cohort data with ethics approval and governance controls. SECUVA provides the pipeline from EMR to research dataset - with full audit trail and policy enforcement baked in.

For population health

Public health agencies and state health departments need data that crosses institutional boundaries. SECUVA enables that data sharing with the access controls, retention policies, and audit documentation that make it legally permissible.

Values

The principles behind the product.

Security is not a feature

It is the consequence of designing a system the way someone who knows how attacks work would design it. Security at SECUVA is architectural, not additive.

Australian-first

The Privacy Act, the OAIC, the NDB scheme, the My Health Records Act - these are the legal instruments that shaped this product. Not retrofit from somewhere else.

Practitioners, not consultants

We write the documentation we would want to read. We answer the questions a security engineer would ask. We work alongside your team, not above them.

Patient data is sacred

Every technical decision is made with the understanding that the data we are helping to govern belongs to a person. That is not a slogan. It is what makes every tradeoff obvious.

Proudly Australian

Founded and operated in Australia.

SECUVA is an Australian company, built by an Australian team, for Australian regulatory requirements. We are not a US company with an Australian subsidiary. We understand AEST business hours, AU health law, and the specific challenges of clinical data in the Australian context - because this is where we work and where our customers operate.

100%

AU data residency

AEST

Business hours support

AU law

Compliance-native

Infrastructure footprint

AU cloud region · primaryactive

Australian sovereign region·Primary control plane

AU cloud region · DRactive

Secondary AU region·Disaster recovery

On-prem (customer site)required

Your network·SECUVA agent - all PHI processing

Ready to see it in context?

We are happy to walk through the architecture, the compliance posture, and how SECUVA fits into your specific data workflow - no deck, no pitch.

Three security practitionerswho kept seeing the samegap in healthcare.

Built by people who knowwhere the real risks are.