Security & data protection

Your patients' data isn't here. It never was.

MedAligna schedules staff, not patients. We hold employee records — names, licences, shifts, hours worked — which are not protected health information under HIPAA, even when the employer is a hospital. No patient names, no diagnoses, no charts, no notes. A breach of MedAligna could not expose your patients, because their data was never in it.

Does MedAligna hold patient data?

No. Not a name, not a diagnosis, not a chart, not a note.

HIPAA governs protected health information: data that identifies a person and relates to their care. Your EHR is full of it. MedAligna holds none of it, and the reason is structural rather than a matter of policy: there is nowhere in this product to put a patient.

We schedule staff, not patients. What we store is employment data: who works Tuesday night, whose licence expires in March, how many hours someone worked last week. Employment records are not PHI under HIPAA, even when the employer is a hospital. The closest we come is a census count: the grid knows there are eighteen patients on the unit tonight, because that is what a nurse-to-patient ratio is computed against. Eighteen is a number. It identifies nobody.

Which means the honest answer to “what happens if you get breached?” is the strongest one available: your patients are not in the blast radius, because their data was never here. An attacker who took everything we hold would have a staff roster. No badge on a website gets you that, and unlike a badge, it is not a claim anyone can argue with; you can verify it yourself from the table below.

Some deployments are different: home-care client records are the usual case, since a client's name and address tied to receipt of care is protected health information. If that is you, talk to us and we will walk you through exactly how it is handled.

How is one organisation's data kept separate from another's?

By the database refusing to hand it over, not by our code remembering to ask nicely.

Every tenant table in MedAligna carries the organisation it belongs to, and every one of them has a row-level security policy attached in Postgres. The policy compares that organisation against the memberships of whoever is authenticated, and it is evaluated by the database on every read and every write. Not by a middleware layer, not by an ORM scope, not by a WHERE clause a developer has to remember on a Friday.

The distinction matters because of how multi-tenant data actually leaks. Almost nobody is breached by a cryptographic failure; they are breached because one query out of four thousand forgot its filter, and that query returned everyone's rows to the wrong account for eight months before anybody noticed. Under row-level security, the forgetful query is the safe failure: a select with no organisation filter returns zero rows, not every row. The bug shows up as an empty screen during development rather than as a disclosure in production.

This is tested on every commit, and the test is written adversarially rather than hopefully. It authenticates as one organisation's administrator, queries another organisation's staff table with no filter whatsoever (the exact query a hostile or incompetent client would send) and asserts that the result is empty. If someone adds a new table and forgets its policy, that test is what fails, and it fails before the code ships rather than afterwards.

The same boundary holds for the contested writes that make scheduling interesting. When two nurses tap “claim” on the last open night in the same second, the decision is made inside the database under a row lock, with eligibility re-checked while the lock is held. There is no second write path around it. That is a correctness property rather than a security one, but it comes from the same principle: the rules live where the data lives, because that is the only place they cannot be bypassed by the next feature.

Who can see a nurse's licence?

The nurse, and the managers who have a credentialing job to do. Not her colleagues, and not us casually.

Credentials live in a wallet attached to the person rather than to the employer, and the permission is asymmetric on purpose: an employer can read a credential record and cannot edit or delete it. That is enforced by the same row-level policies as everything else, which means it is not a promise about our intentions: a manager who is one nurse short at five in the morning cannot reach into a record and move an expiry date, however much she would like to. Only the person whose licence it is can change what it says.

The documents themselves (the scanned licence, the BLS card) are not on a public URL waiting to be guessed. They sit in private storage and are reachable only through short-lived signed links issued to someone who has already been authorised to see them. And on the one class of record that genuinely is protected health information, home-care client records, every read is logged separately, not merely every change. Access logging that only records writes answers the wrong question: the interesting event is usually somebody looking.

How is MedAligna's data protected?

Six controls, each stated precisely enough that your reviewer can go and check it rather than take our word for it.

Audit controls

Every change is recorded, permanently

Assignments, shifts, credentials, hours, and permissions are audit-logged by the database itself, not by application code that might forget. The log is append-only: nobody, including us and including your own account owner, can edit or delete history. When a surveyor asks who changed a nurse's shift on the 14th, there is an answer.

Access control

One clinic cannot see another

Tenant isolation is enforced by row-level security in Postgres, not by a WHERE clause someone might omit. A query that forgets to filter by organisation returns nothing rather than everything. This is tested on every commit, including the case of a competitor's admin querying the staff table with no filter at all.

Integrity

Rule overrides are visible

When a scheduler knowingly overrides a blocking rule (putting someone on a floor the engine refused), the reason is captured and surfaced to administrators. These are rare and deliberate, and each one is meant to be looked at.

Encryption

Encrypted in transit and at rest

All traffic is TLS. Data at rest is encrypted by our database provider. Uploaded documents (licences, certifications) are stored in private buckets reachable only through short-lived signed URLs.

Automatic logoff

Sessions expire

Sessions time out automatically, so a browser left open on a shared workstation at the nurses' station does not stay signed in indefinitely.

Data portability

Your data is yours, always

Export everything (staff, schedules, credentials, hours) to CSV or JSON at any time, including after you cancel. We never hold a schedule hostage over a billing problem: a lapsed account becomes read-only, never deleted and never hidden. A billing failure must not become a staffing failure.

What exactly do you store?

All of it, in one table. If a row you expected is missing from the left-hand column, it is missing from the product.

DataStored?Is it PHI?
Staff names, roles, contact detailsYesNo: employment record
Licences and certifications (incl. expiry)YesNo: employment record
Shifts, assignments, hours workedYesNo: employment record
Patient census counts (e.g. “18 patients tonight”)YesNo: no individual is identified
Patient names, diagnoses, charts, notesNoWould be, so we don’t hold it
Home-care client recordsHome care onlyYes, discussed with you before setup

Can you answer our security questionnaire?

Yes. Send it, and an engineer answers it in writing.

Not a sales form, not a boilerplate PDF, and not a salesperson relaying answers from someone he cannot see. Every control on this page is real, testable, and described precisely enough to be verified rather than believed, which is the standard we would want if we were the ones signing it off. If your reviewer thinks we have got something wrong, that is a genuinely useful email to receive.

Bring us your security review

Questionnaires, architecture questions, a control you want demonstrated in the live product rather than described. Ask for the hard ones.

Send us your questions