Data Security & Privacy

Last updated on

Data Security & Privacy

Patient Watch implements comprehensive security measures to protect patient data and ensure compliance with UK GDPR and NHS standards. This document outlines our key security features and policies.

Infrastructure Security

  • All data is transmitted securely via HTTPS encryption with TLS
  • Data is hosted on Supabase’s SOC2 Type 2 compliant infrastructure
  • Protected Health Information (PHI) is handled under HIPAA compliance and BAA agreement
  • All data is encrypted at rest with AES-256 encryption
  • Regular security audits, vulnerability scanning, and penetration testing ensure system integrity
  • DDoS protection through Cloudflare and automated threat mitigation
  • Automated daily backups with point-in-time recovery capability

Authentication & Access Control

Robust Authentication System

  • Industry-standard authentication through Supabase Auth
  • Secure session management using JSON Web Tokens (JWTs)
  • Dual-token strategy:
    • Short-lived Access Tokens for API requests
    • Secure Refresh Token system for continuous authentication
  • Protection against common vulnerabilities (XSS, CSRF)
  • 15-minute session timeout for enhanced security

Strong Password Requirements

  • Minimum 10 characters
  • Must contain uppercase and lowercase letters
  • Must include numbers and special characters
  • Passwords are salted and hashed using industry-standard encryption

Organization-Based Access Control

  • Staff access is managed through organization membership
  • Secure organization key system for controlled staff onboarding
  • Least Privilege Access principle for all data access
  • Granular permission system for patient diary access

Data Protection

Data Storage & Retention

  • All patient data is encrypted at rest and in transit
  • Identifiable data is retained for 5 years or until removal is requested
  • Only necessary data is collected for service operation
  • Compliant with UK GDPR requirements

Clinical Access Management

  • Controlled access for healthcare professionals within organizations
  • Secure diary sharing between patients and authorized staff
  • Audit trails for all data access

Pseudonymised and Research Data Governance

  • We do not sell directly identifiable patient personal data
  • Where data is used for audit, research, clinical trials, post-market surveillance, or commercial evidence programmes, we aim to use anonymised, aggregated, or appropriately pseudonymised datasets wherever the use case allows
  • Pseudonymised datasets remain subject to governance, contractual controls, and access restrictions designed to reduce re-identification risk and limit onward use
  • Sharing with healthcare, academic, pharmaceutical, medical device, or other life sciences organisations is carried out only where permitted by law, contract, controller instructions, and any applicable ethics or governance requirements

Compliance & Policies

All users must agree to our comprehensive policies:

Organisation-level governance (health and care)

Where a hospital, trust, or other organisation uses Patient Watch to deliver care or related services, that organisation is typically responsible for its own information governance records (for example inventories of information assets and relevant data flows) and for approvals required by its regulatory or contractual context. Patient Watch Ltd publishes technical and security context for the service on this page to support those organisational records. It does not replace your organisation-wide Information Asset Register or local sign-off.

Support & Security Contacts

Contact information for security-related inquiries at support@patientwatch.com

For detailed technical documentation or specific security inquiries, please contact our security team.