Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

Does ShieldBox comply with the My Health Records Act 2012?

ShieldBox provides a secure Australian-hosted email infrastructure that is suitable for healthcare providers registered with the My Health Records system. We do not directly integrate with MHR as a registered system operator, but our IRAP-assessed platform satisfies the security requirements for clinical communications relating to MHR data. Consult your ADHA representative for specific MHR system operator requirements.

Can ShieldBox handle the volume of emails a busy GP practice receives?

Yes. ShieldBox is designed for Australian businesses of all sizes. For GP practices, we include unlimited storage per mailbox, automated rules for referral organisation, shared inboxes for clinical teams, and an AI inbox assistant that can triage results notifications, patient enquiries, and specialist correspondence. Our largest healthcare customers are multi-site clinic groups with 80+ clinicians.

What happens if we have a data breach? Does ShieldBox help with OAIC notification?

ShieldBox includes NDB breach detection that automatically flags potential notifiable data breaches — compromised accounts, unusual bulk access, or suspicious forwarding patterns. When a breach is detected, the platform starts the 30-day OAIC notification clock and provides a workflow to manage assessment and notification. Our compliance team can also advise on the notification process.

How does migration from our current email system work for a medical practice?

Our team manages the entire migration, including your complete email history from Gmail, Outlook, Microsoft 365, or any other provider. We coordinate migration outside business hours to ensure zero impact on clinical operations. Your @yourpractice.com.au email addresses remain unchanged, and all staff are set up with their new accounts before the cutover. Typical migration takes one evening for practices up to 20 staff.

Do I need to tell patients that we changed email providers?

Generally no — your patient-facing email addresses stay the same. If you are updating your Privacy Policy (which we recommend to accurately reflect Australian data storage), that is a good opportunity to note the improvement. Many practices use the switch to ShieldBox as an opportunity to communicate their commitment to Australian data sovereignty to patients, which is well received particularly in the post-Medibank era.

Secure email for Australian medical practices and healthcare providers

Secure Email for Healthcare

Secure email built for
Australian medical practices

The only Australian-hosted email platform assessed to handle patient health information — Privacy Act 1988 compliant, IRAP-assessed, and trusted by 6,500+ healthcare providers.

100% Australian serversIRAP AssessedPrivacy Act 1988My Health RecordsNDB Scheme ready7-year audit log

Start free trial — 30 days Free practice migration

6,500+

Healthcare providers

NDB-reporting sector

Why you need this

100%

Australian data residency

30 day

NDB notification clock

Managed in-platform

Healthcare is Australia's #1 sector for NDB notifications. The OAIC received 104 health sector breach reports in 2024-25 — more than any other industry.

Regulatory Landscape

Healthcare email compliance in Australia

Medical practices face more email compliance obligations than almost any other Australian industry. ShieldBox is designed to satisfy all of them.

Cth Legislation

Privacy Act 1988

All health information is sensitive under the Privacy Act. Medical practices and hospitals must satisfy all 13 APPs, with particular attention to APP 8 — offshore storage of patient records is a significant legal risk.

ADHA

My Health Records Act 2012

Healthcare providers registered with the My Health Records system must meet ADHA security and access requirements. Clinical communications touching MHR data require additional safeguards.

Professional Obligations

AHPRA & Professional Codes

AHPRA-registered practitioners must maintain professional standards that include confidentiality of patient information in all electronic communications, including email correspondence.

Privacy Act Part IIIC

Notifiable Data Breaches

Healthcare is the sector most frequently reported to the OAIC under the NDB scheme. A single phishing incident can trigger mandatory notifications to thousands of patients and the OAIC within 30 days.

State Legislation

State Health Legislation

State and territory health records legislation adds further obligations. NSW Health Records & Information Privacy Act, Victorian Health Records Act, and equivalent Queensland, WA, and SA legislation all apply.

ASD / ACSC

ACSC Guidance for Healthcare

The Australian Cyber Security Centre has published specific guidance for health sector organisations, recommending ASD Essential Eight implementation and encrypted email as baseline controls.

Platform Features

Everything a medical practice needs

Secure email for medical practices built from the ground up for Australian healthcare compliance.

Patient data never leaves Australia

All clinical emails, attachments, and patient correspondence physically stored and processed in Australian data centres. Zero offshore data transfers. Your APP 8 obligation resolved by design.

End-to-end encryption

AES-256 encryption at rest, TLS 1.3 in transit. Clinical communications protected to the same standard as Australian government classified information. Encryption keys held by you.

Role-based access for clinical teams

GP, specialist, practice nurse, admin — configure exactly who sees what. Shared inboxes with individual audit trails. Reception staff can't access clinical communications.

7-year clinical communications audit

Complete audit log of every email event retained for 7 years. Satisfies medical record keeping obligations under all Australian state and territory health legislation.

NDB breach detection

Automated detection of potential notifiable data breaches — compromised accounts, unusual bulk access, suspicious forwarding. Healthcare is the #1 NDB sector — be ready.

DMARC/DKIM/SPF at enforcement

Full email authentication at p=reject enforcement. Eliminates spoofed emails pretending to come from your practice — a common healthcare BEC attack vector. Protects your patients too.

Works with Best Practice & Medical Director

ShieldBox integrates seamlessly with Best Practice Software, Medical Director, Genie, and Zedmed via IMAP/SMTP. No disruption to existing clinical workflows.

Custom domain for every practice

Your own @drsmith.com.au address for every clinician. Professional credibility with patients, secure custom domain email that works correctly with spam filtering.

Healthcare Verticals

Every healthcare setting, covered

From solo GPs to multi-site hospital groups — ShieldBox scales to every Australian healthcare organisation.

General Practice

2,400+ practices

Bulk billing and mixed billing GPs using ShieldBox for patient referral communications, results notifications, and Medicare correspondence. Full RACGP standards alignment.

Get started

Specialist Clinics

800+ clinics

Ophthalmology, cardiology, orthopaedic, and oncology specialists handling sensitive referral correspondence and surgical planning communications. End-to-end encrypted.

Get started

Allied Health

3,100+ practices

Physiotherapy, psychology, occupational therapy, dietetics, and speech pathology practices. AHPRA obligations and sensitive clinical notes protected.

Get started

Day Hospitals & Surgical Centres

180+ facilities

Private day surgical facilities handling pre-admission communications, anaesthetic consent, and post-operative follow-up. NSQHS Standards aligned.

Get started

Aged Care Facilities

420+ facilities

Residential aged care and NDIS providers handling sensitive care plans, incident reports, and family communications. Aged Care Quality Standards compliant.

Get started

Pathology & Radiology

340+ labs

Pathology and diagnostic imaging providers transmitting results electronically to referring GPs and specialists. NATA accreditation evidence available.

Get started

Customer Stories

Trusted by Australian clinicians

“After the Medibank breach in 2022, our board mandated a full review of data sovereignty. ShieldBox was the only email provider that could satisfy our privacy officer's requirements — data in Australia, IRAP-assessed, and with a proper audit trail.”

Dr. Jennifer Kwan

Practice Principal

Kwan Family Medicine, Parramatta NSW

“We switched from Google Workspace after our practice manager flagged the APP 8 issue. ShieldBox took about two hours to set up across our six GPs. The migration team moved all our historical emails overnight — completely seamless.”

Dr. Andrew Papadopoulos

Managing Partner

Bayside Medical Group, Brighton VIC

“As a psychology practice we're acutely aware of patient confidentiality obligations. ShieldBox gives our clients — and our PI insurer — confidence that sensitive session notes and correspondence never touch an overseas server.”

Dr. Michelle Torres

Clinical Director

Clarity Psychology, Brisbane QLD

Free practice migration — we do everything

Our team migrates your complete email history from Gmail, Outlook, or any provider. Overnight, zero clinical downtime.

View migration guide

Common Questions

Healthcare email FAQ

It creates significant Privacy Act risk. Under APP 8, when you store or process patient health information offshore (which Google and Microsoft do unless you specifically purchase and configure their Australian data residency options), you remain accountable for how that information is handled. If the offshore provider is breached, you may have NDB notification obligations even if your own systems are secure. The safest approach is to use Australian-hosted email where the data never leaves Australia.

Protect your patients.
Protect your practice.

Join 6,500+ Australian healthcare providers on the only email platform purpose-built for Australian Privacy Act compliance. Free 30-day trial, no credit card required.

Start free trial Talk to our healthcare team

Compliance Reporting →Compliance Centre →Migration Guide →Compliance Checklist →

Secure email built forAustralian medical practices

Healthcare email compliance in Australia

Everything a medical practice needs

Every healthcare setting, covered

Trusted by Australian clinicians

Healthcare email FAQ

Protect your patients.Protect your practice.

Secure email built for
Australian medical practices

Protect your patients.
Protect your practice.