Trust & security

Security & privacy at Budi

Last updated: June 2026

Budi handles sensitive health information about your clients. We treat that as the core of the product, not an afterthought. Here is exactly how we protect it.

Your clients’ data stays in Australia

The clinical content you put into Budi — your visit notes and the reports generated from them — is stored and processed within Australia. AI drafting runs on Amazon Bedrock in the AWS Asia Pacific (Sydney) region, and your database sits in the same region. Your notes are not routed overseas to be turned into a draft.

Never used to train AI

Your notes are used to draft your report and for nothing else.

We do not use clients personal information to train, fine-tune, or improve any AI model — ours or anyone else’s. The foundation model that generates your drafts runs inside Amazon Bedrock, which does not retain your prompts and does not pass them to the model provider for training.

Encrypted in transit and at rest

All data is encrypted in transit using TLS and encrypted at rest using AES-256. Connections to Budi are served only over HTTPS.

Access is controlled and logged

Access to client content is restricted to authenticated users in your organisation, enforced by role-based access controls and organisation scoping so one practice can never see another’s data. Budi personnel access client content only where necessary to provide, support, or secure the service — under least-privilege controls and audit logging.

Built to recognised standards

Our security program is built on the SOC 2 and ISO/IEC 27001 control frameworks, and we align our controls to the Australian Privacy Principles.

We support your compliance

You hold the clinical relationship with your client and the consent that goes with it. Budi acts as your service provider in handling that content, and we support your obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles, and — where relevant — the NDIS Code of Conduct. If an eligible data breach occurs, we comply with the Notifiable Data Breaches scheme and will notify affected customers promptly.

Who we rely on

We use a small number of sub-processors to run Budi. Each is bound by agreements that require them to protect your data and use it only to provide services to us. This list is kept current.

ProviderPurposeData location
Amazon Web Services (AWS)AI inference (Amazon Bedrock) and encrypted data storageAustralia (Sydney, ap-southeast-2)
ClerkAccount authentication and identityUnited States
VercelApplication hosting and deliveryUnited States / global edge

Retention and deletion

You and your practice carry the record-keeping obligations for your clients’ records — commonly a minimum of seven years, and longer for records concerning children. Budi retains client content to support those obligations and in line with your agreement and instructions. You can request export or deletion of your data; where you are subject to a retention obligation, you decide whether content is kept to meet it. Full detail is in our Privacy Policy.

Reporting a vulnerability

If you believe you’ve found a security issue, we want to hear from you. Email security@budi.healthand we’ll respond quickly. Please give us a reasonable chance to investigate and fix before any public disclosure.


Questions about any of this? Email security@budi.health — a real co-founder will reply.