Security and Trust

Your patients' privacy is paramount. Discover how Procon delivers 100% secure, New Zealand-hosted clinical tools, fully compliant with HISO 10029 standards. Gain absolute confidence in our commitment to data protection through innovative zero-persistence technology.

Addressing Your Biggest Security Worries

We understand the concerns surrounding unauthorized access and ransomware attacks. Health Providers are understandably worried about the potential exposure of sensitive clinical notes and lab results, along with the legal and reputational damage that can follow a data breach. Outdated encryption and the lack of multi-factor authentication (MFA) only exacerbate these fears. At Procon , we take these threats incredibly seriously.

Procon: Security Redefined

Procon employs Zero-Persistence technology. Patient data is never permanently stored on our servers. Instead, it's encrypted, delivered, and immediately purged. Combined with robust AES-256 bit encryption and 100% local New Zealand hosting, we ensure clinical information remains under strict local jurisdiction, inaccessible to unauthorized parties. Your data stays where it belongs, protected by cutting-edge security measures.

Built on Trust, Backed by Proven Performance

Procon has been a trusted partner in the NZ health sector for over 20 years. Skeptical GPs can rely on our proven track record and our innovative Zero-Persistence architecture, which ensures that patient data is never 'held' or at risk on our servers. We invite technical audits and provide full transparency regarding our NZ-based hosting and HISO 10029 compliance. Contact us today to learn more and gain peace of mind.

Data Security & Privacy Policy

Our Commitment to Data Sovereignty and Security At Procon, we believe the safest place for patient health information is within the secure boundaries of the patient's enrolled Practice Management System (PMS). Following recent high-profile cyber events in the health sector, Procon has architected its Clinical Suite around a strict Data Minimisation model. We operate as an "Anti-Honeypot"—meaning we only extract and store patient data when it is absolutely functionally required by the health provider, and we heavily secure it when we do.

1. How We Handle Patient Data (The Hybrid Model) Our applications handle data in two distinct ways, depending on the clinical requirement:

  • Real-Time Decision Support (Zero-Persistence): For core tools like the Patient Dashboard and Appointment Scanner, we do not extract or store patient databases. When a clinician opens a file, our tools query the PMS API in real-time, process the clinical logic, and display the insights. Once the file is closed, the data session ends.

  • Dedicated Screening Applications (Secure Storage): For specific population health and screening programmes, central data storage is required. In these instances, data is stored in isolated, application-specific  databases. To protect patient privacy, all  identifiable patient information (such as NHI numbers) is encrypted at rest within the database, and the decryption keys are stored securely and separately.

2. Third-Party Data Sharing Procon acts solely as a data processor and secure conduit for health providers.

  • We do not sell, rent, or share patient data with any third-party commercial entities.

  • Data is only ever transmitted to authorised secondary healthcare providers (such as community allied health or secondary care) when explicitly directed by the referring clinician.

3. Infrastructure & Compliance To ensure maximum protection for all data, Procon’s cloud infrastructure is hosted securely within New Zealand on Catalyst Cloud, ensuring total data sovereignty.

  • All data processed in transit is secured using enterprise-grade TLS encryption (TLS 1.2+).

  • Our perimeter is protected by Web Application Firewalls (WAF).

  • Our security posture, patch management, and access controls are continuously aligned with Te Whatu Ora’s Health Information Security Framework (HISF) standards for suppliers

Support & Change Management Policy

Procon Support & Change Management PolicyOur Commitment to Reliability and Governance At Procon, we understand that our Clinical Suite and screening applications are critical to the delivery of primary healthcare. To ensure maximum uptime, system stability, and data security, all support requests, system updates, and feature enhancements are governed by strict Change Management and Service Level protocols aligned with the Health Information Security Framework (HISF).

1. Change Management & Enhancements To protect the integrity of our live clinical systems, Procon does not make ad-hoc changes to production environments. Requests for new features, enhancements, or system updates follow a formal lifecycle:

  • Assessment & CAB Approval: All significant enhancements are evaluated for clinical impact and security risks. Major changes are reviewed by our Change Advisory Board (CAB) before development begins.

  • Isolated Testing: Development and testing are strictly segmented from live data. Changes are deployed to a dedicated staging environment for testing and quality assurance before being scheduled for production release.

  • Scheduled Maintenance: To minimise disruption to clinical workflows, non-urgent updates and system patching are deployed during scheduled out-of-hours maintenance windows.

2. Support & Incident Escalation Matrix To ensure fair and rapid response times across our network, all support requests must be logged centrally via our authenticated service portal or our official support channels. Support tickets are triaged and escalated according to the following priority matrix:

  • Priority 1 (Critical Event)

    • Definition: A complete system outage or critical failure affecting an entire network or application (e.g., Patient Dashboard or Lung Cancer Screening unavailable for all users).

    • Target Response: Immediate triage (within 15-30 minutes).

  • Priority 2 (High)

    • Definition: Significant degradation of service or core functionality is broken, but a workaround exists, or it is limited to a subset of users.

    • Target Response: 2 hours.

  • Priority 3 (Normal / Standard Support)

    • Definition: Minor bugs, individual user access issues, or general "how-to" support queries that do not stop clinical workflows.

    • Target Response: 2 Business Days.

  • Priority 4 (Scheduled Changes & Enhancements)

    • Definition: Requests for new forms, dashboard enhancements, or system configuration changes (Moves, Adds, Changes).

    • Target Response: 24 hours for initial assessment; work scheduled and deployed subject to the Change Management lifecycle outlined above.

3. Continuous Assurance & Patching In addition to reactive support, Procon engages in a Continuous Assurance programme. Our cloud infrastructure is proactively monitored, and security patching is applied on a monthly cycle in partnership with our tier-one hosting providers to ensure ongoing protection against emerging threats.

Security Posture & Compliance

1. Trusted Infrastructure & Sub-Processors To maintain strict data sovereignty and enterprise-grade reliability, Procon partners exclusively with tier-one infrastructure providers.

  • Catalyst Cloud: All core applications and databases are hosted onshore in New Zealand, ensuring 100% local data sovereignty.

  • OSS Group: Our Linux infrastructure is proactively managed and patched by OSS Group to ensure continuous alignment with industry best practices.

  • Cloudflare: Our network perimeter is protected globally by Cloudflare’s Web Application Firewall (WAF), which actively mitigates DDoS attacks, malicious traffic, and emerging zero-day threats.

2. Data Retention & Secure Destruction Aligning with our Hybrid Data Minimisation strategy, Procon does not hold health data longer than is clinically or contractually required.

  • Transient Data: Real-time query data used by tools like the Patient Dashboard is never persistently stored.

  • Screening Databases: Data held for specific longitudinal screening programmes is retained strictly in accordance with Ministry of Health guidelines. Upon contract termination or project conclusion, all associated databases and backups are securely sanitized and cryptographically destroyed, with certificates of destruction recorded in our asset register.

3. Enterprise Insurance & Liability Procon 2026 Limited is fully backed by comprehensive, enterprise-grade insurance policies to protect our clients and operations. We carry dedicated Technology Liability Insurance alongside specialist Cyber Event Protection through leading underwriters, ensuring we have the resources and incident response support required to handle any catastrophic event.

4. Vulnerability Disclosure & Security Contact We view security as a continuous, collaborative effort. If you are a client, security researcher, or penetration tester and you believe you have discovered a potential security vulnerability within the Procon Clinical Suite, please report it to our dedicated security team immediately.

  • Contact: support@procon.co.nz

  • Please note: We ask that you do not attempt to exploit or publicly disclose any potential vulnerabilities while our team investigates.