NDIS compliance — how Clearline supports provider obligations

01 · Where the vendor / provider line sits

Clearline is software tooling. Our customers are the registered providers.

Clearline Health is a software vendor. We build the platform; registered NDIS providers run their services on it. Registration with the NDIS Quality and Safeguards Commission stays with the provider — we are not registered with the Commission, and using Clearline does not register, certify, or pre-approve a provider in any way.

The following stay the provider's responsibility under the NDIS framework:

Provider registration with the NDIS Quality and Safeguards Commission
Meeting the NDIS Practice Standards as a provider
Worker screening (NDIS Worker Screening Check) for each worker engaged
Restrictive practice authorisation and reporting
Incident management decisions and Commission notifications
Complaints handling decisions and responses
All clinical and operational judgements about participant care

Clearline is tooling. The provider remains accountable.

02 · What Clearline does inside its lane

The tooling we ship, in plain language.

Inside the vendor scope, here's what the platform actually does today. Every bullet is in production now across the four products (Aura OS, Pilot, Compass, Scrive). We build Clearline to help providers meet their obligations under the NDIS Practice Standards — the Standards apply to providers, not to software vendors, but the workflows we build are shaped around them.

Append-only audit log on every state-changing action across the platform. Roughly 22 distinct event types live today. No UPDATE or DELETE paths exist in the API; rows are written once and stay.
Tamper-evident audit exports. NDIA-format audit exports for a participant ship as PDF, CSV, or JSON with a SHA-256 hash on the export package so a recipient can verify the bundle wasn't altered after generation.
Consent capture and revocation flows wired into the Connect identity layer. Families approve who joins their participant's care team across all four products. Revocation propagates across products within seconds; the audit log records who accessed what, and when.
NDIS numbers stored as SHA-256 hash with a server-side pepper. Never as plaintext, anywhere in the database. Match-by-hash works for cross-product participant discovery without putting plaintext NDIS numbers on the wire.
Shift note and report structures shaped around NDIS Practice Standards documentation expectations. Aura OS shift notes, Scrive reports (5 NDIS report types), and Pilot reports (Progress, Implementation, Plan Review) carry the fields and structure NDIS auditors look for.
Cross-product participant identity continuity (Connect graph). A participant's identity stays consistent as providers, support coordinators, and OTs change around them — reducing duplicate records and the gap between what a family says and what each provider has on file.
Data export available on request. Human-readable (PDF) and machine-readable (CSV, JSON) formats. Per-participant exports for NDIA compliance audits; per-organisation exports for the provider's own records.
Per-product role-based access. Workers, coordinators, OTs, family members, and admins each see only what their role permits. Workers don't see business administration; family members don't see other families.

03 · Documentation, retention, and audit

What we keep, for how long, and how it's protected.

Records, service-agreement dates, shift notes, incident reports, and clinical reports are retained per the canonical retention table in our Privacy Policy. NDIS compliance records carry the 7-year regulatory minimum; cancelled-account data is purged within 90 days except where retention is required by law.

Full retention table at Privacy Policy § 5.4 — covers active account data, compliance records, participant records, cancelled accounts, and analytics
Audit log entries are append-only — no UPDATE or DELETE paths in the API
Audit exports ship in PDF, CSV, or JSON with a SHA-256 tamper-evident hash on the export package
Behaviour Support Plan content (Aura OS) is retained for 7 years per NDIS requirements, with role-based access restricted to behaviour_support_lead, manager, and owner roles
Encryption at rest and TLS 1.2+ in transit on every endpoint — see Trust & security for the full posture

04 · Participant rights and complaints routing

Where to direct what.

Participants and their nominees can revoke consent at any time. Revocation propagates across all four products via the Connect identity layer (see the architecture diagram above) — the provider sees the change in their app, further reads of the revoked scope return 403, and the audit log records the action.

Consent revocation works from any account that holds the consent role — family member, nominee, or self-consenting adult participant
Data export on request — we aim to provide exports within 30 days from the email request landing at support@clearlinehealth.com.au, in line with the Privacy Act (APP 12) standard for access requests
Data deletion follows the retention table: cancelled-account data within 90 days; NDIS compliance records retained 7 years per regulatory requirement

Complaints routing

About the Clearline platform itself: (login problems, data display bugs, account issues, billing) — support@clearlinehealth.com.au. The founder reads every message.
About the provider's services: (care quality, worker conduct, support delivery, NDIS-funded service issues) — raise directly with the provider, or with the NDIS Quality and Safeguards Commission at ndiscommission.gov.au. Clearline is the software vendor; we don't deliver NDIS services or sit between participants and providers on service-quality complaints.

05 · What we haven't done yet

The honest list.

A compliance page that only lists strengths is marketing. This is the list of NDIS-relevant things we have not done. Surfaced on the same page as the rest so a buyer or coordinator can make an informed call.

No formal ISO 27001, SOC 2, or ISO 15489 certification. Planned once revenue justifies the audit cost. Not started.
No third-party NDIS-sector compliance audit conducted yet. Planned for 2026.
No automated workflow that guarantees a provider's compliance. Clearline is tooling. The provider's processes and clinical judgement remain primary — the platform supports the work, it doesn't replace the accountability.
No direct integration with the NDIS Commission's reportable-incident lodgement system. Incidents documented in Clearline still need to be lodged through the Commission's portal by the provider.
No automated NDIS Worker Screening Check verification. Workers' clearance numbers and expiry dates are tracked manually in Aura OS today. Automated verification against the Commission's check register is planned.
Point-in-time recovery not enabled by default. Available on enterprise plans on request. Standard plans rely on daily 7-day-retention snapshots.

06 · Who's accountable

One person to email.

Compliance, privacy, and platform-handling questions go to a single mailbox monitored by the founder. No legal@ or compliance@ alias, no triage tier. Faster for everyone.

Richard Patriquin · Founder, Clearline Health Pty Ltd

Contact · support@clearlinehealth.com.au Acknowledgement · within two business days ABN · 16 707 891 605 Based in Australia

How Clearline supports NDIS compliance.