Security for our Tyro Health Online solution

Our approach to security is designed to safeguard both you and the Australians you support. We store all our data in Australia and encrypt end-to-end, we are continuously innovating in fraud protection and we protect your data like our business depends on it – because it does.

We adhere to industry-leading standards to manage our network, secure our web applications and set policies across our organisation.

The information on this page relates to the Tyro Health Online solution. If you would like to view the Tyro Security Policy, which covers Tyro offerings including Tyro EFTPOS machines, please click here.


What we do to protect information

To deliver a service that meets our high expectations for information security, we employ a range of policies and processes specifically designed to ensure a high level of security, and to keep it there.

You can read more about how we collect, store, use and disclose personal information at our Privacy Policy.

We are ISO 27001 Certified.

ISO 27001 is the leading international standard for Information Security. You can view our independent certification here.

Data is stored in Australia.

Sensitive, private and confidential health information is processed and stored exclusively in Australia.

Data is tokenised and encrypted end to end.

We encrypt data in transit and data at rest using strong, modern ciphers. Further, payment card details and health account information is protected through an advanced tokenisation system.

We only store what is needed.

We only store information necessary for providing our services and only for the period required to meet operational or regulatory responsibilities.

Our partners meet our high expectations.

Our hosting partners abide by best practice security frameworks including: ISO27001, Australian InfoSec Registered Assessors Program (IRAP), SOC 1, SOC 2 and PCI DSS.

Regular audits and testing.

We undergo regular independent auditing and testing, and employ subject matter experts across our security framework to identify potential issues and to enhance control effectiveness.

Our information security policy

Tyro Health is committed to optimising our information security performance consistent with our risk appetite. In providing services to our clients, Tyro Health has access to their information and we expect that all staff and contractors have a clear understanding of their information security obligations. Tyro Health also has its own information, much of which needs to be secured to enable the business to operate effectively.

As a medical insurance claims software developer for our clients, we are committed to industry standards for the development lifecycle and the incorporation of information security into each phase of this lifecycle. We will ensure that information security is a key element of this and our ongoing client servicing.

To assist us in assuring our information security performance, we are committed to the implementation, maintenance and continual improvement of our Information Security Management System (“ISMS”). Our ISMS is ISO 27001 certified and compliant. The purpose of this ISMS and this policy is to achieve the following objectives:

  • Confidentiality – ensuring that information is not made available or disclosed to unauthorised individuals, entities or processes;
  • Integrity – maintaining the consistency, accuracy, and trustworthiness of information over its entire life cycle;
  • Availability – ensuring that information is both accessible and usable upon demand by an authorised party.

We are committed to ensuring that our ISMS is capable of meeting owners, clients and legal requirements for information security. To achieve this end, we are fully committed to the recruiting and skilling of our staff to deliver information security outcomes that are consistent with our risk appetite.


Responsible disclosure of security vulnerabilities

If you’ve discovered a security vulnerability in our platform or service, please email us at We will respond promptly. To help us resolve the issue quickly, we request that you:

  • provide us with full details of the discovered issue;
  • in the best interests our users and their data, please do not publicly disclose the issue until it has been addressed by us;
  • never purposely disrupt services for other users;
  • never attempt to access or modify data from other users; and
  • to keep everyone safe, please act in good faith towards our users’ privacy and data during your disclosure.

We won’t take legal proceedings against you or administrative action against your account if you act accordingly.

Although we do not have a security “bounty program”, we’ll make best endeavours to recognise your goodwill.

Contact us

If you have any questions about security or privacy, please email us.

Alternatively, you may use the PGPkey (Fingerprint: A39A26DD7B4F7FC3814CDBCBE999CA3961ECC0D2), verifiable at public key stores to encrypt your communications with us.