NDIS compliance

How Clearline supports NDIS compliance.

Plain-English answers about what the platform does to support NDIS provider obligations — and what stays the provider's responsibility.

01 · Where the vendor / provider line sits

Clearline is software tooling. Our customers are the registered providers.

Clearline Health is a software vendor. We build the platform; registered NDIS providers run their services on it. Registration with the NDIS Quality and Safeguards Commission stays with the provider — we are not registered with the Commission, and using Clearline does not register, certify, or pre-approve a provider in any way.

The following stay the provider's responsibility under the NDIS framework:

  • Provider registration with the NDIS Quality and Safeguards Commission
  • Meeting the NDIS Practice Standards as a provider
  • Worker screening (NDIS Worker Screening Check) for each worker engaged
  • Restrictive practice authorisation and reporting
  • Incident management decisions and Commission notifications
  • Complaints handling decisions and responses
  • All clinical and operational judgements about participant care

Clearline is tooling. The provider remains accountable.

Connect is the layer that propagates consent, identity, audit events, and cross-product handoffs between the four products. The same data flows are referenced throughout this page — including in the consent-revocation rules below.

Connect cross-product architecture Four Clearline products arranged in a compass-point ring around a central Connect identity node, on a subtle dot-grid background. Aura OS for provider operations sits at the top, Pilot for the coordinator workspace at the right, Compass for the family view at the bottom, and Scrive for OT report writing at the left. Each product is connected to Connect by a quiet line — Connect is the layer that carries participant identity, consent state, audit events, and cross-product handoffs between them. Every line is bidirectional: each product both writes to and reads from Connect. Aura OS PROVIDER OPERATIONS Pilot COORDINATOR WORKSPACE Compass FAMILY VIEW Scrive OT REPORT WRITER Connect
Four products. One identity. Connect is the layer that keeps them in sync.
02 · What Clearline does inside its lane

The tooling we ship, in plain language.

Inside the vendor scope, here's what the platform actually does today. Every bullet is in production now across the four products (Aura OS, Pilot, Compass, Scrive). We build Clearline to help providers meet their obligations under the NDIS Practice Standards — the Standards apply to providers, not to software vendors, but the workflows we build are shaped around them.

  • Append-only audit log on every state-changing action across the platform. Roughly 22 distinct event types live today. No UPDATE or DELETE paths exist in the API; rows are written once and stay.
  • Tamper-evident audit exports. NDIA-format audit exports for a participant ship as PDF, CSV, or JSON with a SHA-256 hash on the export package so a recipient can verify the bundle wasn't altered after generation.
  • Consent capture and revocation flows wired into the Connect identity layer. Families approve who joins their participant's care team across all four products. Revocation propagates across products within seconds; the audit log records who accessed what, and when.
  • NDIS numbers stored as SHA-256 hash with a server-side pepper. Never as plaintext, anywhere in the database. Match-by-hash works for cross-product participant discovery without putting plaintext NDIS numbers on the wire.
  • Shift note and report structures shaped around NDIS Practice Standards documentation expectations. Aura OS shift notes, Scrive reports (5 NDIS report types), and Pilot reports (Progress, Implementation, Plan Review) carry the fields and structure NDIS auditors look for.
  • Cross-product participant identity continuity (Connect graph). A participant's identity stays consistent as providers, support coordinators, and OTs change around them — reducing duplicate records and the gap between what a family says and what each provider has on file.
  • Data export available on request. Human-readable (PDF) and machine-readable (CSV, JSON) formats. Per-participant exports for NDIA compliance audits; per-organisation exports for the provider's own records.
  • Per-product role-based access. Workers, coordinators, OTs, family members, and admins each see only what their role permits. Workers don't see business administration; family members don't see other families.
03 · Documentation, retention, and audit

What we keep, for how long, and how it's protected.

Records, service-agreement dates, shift notes, incident reports, and clinical reports are retained per the canonical retention table in our Privacy Policy. NDIS compliance records carry the 7-year regulatory minimum; cancelled-account data is purged within 90 days except where retention is required by law.

  • Full retention table at Privacy Policy § 5.4 — covers active account data, compliance records, participant records, cancelled accounts, and analytics
  • Audit log entries are append-only — no UPDATE or DELETE paths in the API
  • Audit exports ship in PDF, CSV, or JSON with a SHA-256 tamper-evident hash on the export package
  • Behaviour Support Plan content (Aura OS) is retained for 7 years per NDIS requirements, with role-based access restricted to behaviour_support_lead, manager, and owner roles
  • Encryption at rest and TLS 1.2+ in transit on every endpoint — see Trust & security for the full posture
04 · Participant rights and complaints routing

Where to direct what.

Participants and their nominees can revoke consent at any time. Revocation propagates across all four products via the Connect identity layer (see the architecture diagram above) — the provider sees the change in their app, further reads of the revoked scope return 403, and the audit log records the action.

  • Consent revocation works from any account that holds the consent role — family member, nominee, or self-consenting adult participant
  • Data export on request — we aim to provide exports within 30 days from the email request landing at support@clearlinehealth.com.au, in line with the Privacy Act (APP 12) standard for access requests
  • Data deletion follows the retention table: cancelled-account data within 90 days; NDIS compliance records retained 7 years per regulatory requirement

Complaints routing

About the Clearline platform itself
(login problems, data display bugs, account issues, billing) — support@clearlinehealth.com.au. The founder reads every message.
About the provider's services
(care quality, worker conduct, support delivery, NDIS-funded service issues) — raise directly with the provider, or with the NDIS Quality and Safeguards Commission at ndiscommission.gov.au. Clearline is the software vendor; we don't deliver NDIS services or sit between participants and providers on service-quality complaints.
05 · What we haven't done yet

The honest list.

A compliance page that only lists strengths is marketing. This is the list of NDIS-relevant things we have not done. Surfaced on the same page as the rest so a buyer or coordinator can make an informed call.

  • No formal ISO 27001, SOC 2, or ISO 15489 certification. Planned once revenue justifies the audit cost. Not started.
  • No third-party NDIS-sector compliance audit conducted yet. Planned for 2026.
  • No automated workflow that guarantees a provider's compliance. Clearline is tooling. The provider's processes and clinical judgement remain primary — the platform supports the work, it doesn't replace the accountability.
  • No direct integration with the NDIS Commission's reportable-incident lodgement system. Incidents documented in Clearline still need to be lodged through the Commission's portal by the provider.
  • No automated NDIS Worker Screening Check verification. Workers' clearance numbers and expiry dates are tracked manually in Aura OS today. Automated verification against the Commission's check register is planned.
  • Point-in-time recovery not enabled by default. Available on enterprise plans on request. Standard plans rely on daily 7-day-retention snapshots.
06 · Who's accountable

One person to email.

Compliance, privacy, and platform-handling questions go to a single mailbox monitored by the founder. No legal@ or compliance@ alias, no triage tier. Faster for everyone.

Richard Patriquin · Founder, Clearline Health Pty Ltd

Contact · support@clearlinehealth.com.au Acknowledgement · within two business days ABN · 16 707 891 605 Based in Australia

Questions about NDIS compliance and how Clearline fits in?

Email support@clearlinehealth.com.au. The founder reads every message. We aim to acknowledge within two business days.