Patient Watch implements security measures designed to protect patient data and support compliance with UK GDPR and relevant health and care governance requirements. This document outlines our key security features and policies.

Infrastructure Security

• All data is transmitted securely via HTTPS encryption with TLS
• Data is hosted on Supabase’s SOC2 Type 2 compliant infrastructure
• All data is encrypted at rest with AES-256 encryption
• Security review, vulnerability management, and testing activities are carried out to help protect system integrity
• DDoS protection through Cloudflare and automated threat mitigation
• Automated daily backups with point-in-time recovery capability

Authentication & Access Control

Robust Authentication System

• Industry-standard authentication through Supabase Auth
• Secure session management using JSON Web Tokens (JWTs)
• Dual-token strategy:
  • Short-lived Access Tokens for API requests
  • Secure Refresh Token system for continuous authentication
• Protection against common vulnerabilities (XSS, CSRF)
• 15-minute session timeout for enhanced security

Strong Password Requirements

• Minimum 10 characters
• Must contain uppercase and lowercase letters
• Must include numbers and special characters
• Passwords are salted and hashed using industry-standard encryption

Organization-Based Access Control

• Staff access is managed through organization membership
• Secure organization key system for controlled staff onboarding
• Least Privilege Access principle for all data access
• Granular permission system for patient diary access

Data Protection

Data Storage & Retention

• All patient data is encrypted at rest and in transit
• Identifiable data is retained for 5 years or until removal is requested
• Only necessary data is collected for service operation
• Designed to support UK GDPR requirements

Clinical Access Management

• Controlled access for healthcare professionals within organizations
• Secure diary sharing between patients and authorized staff
• Audit trails for all data access

Pseudonymised and Research Data Governance

• We do not sell directly identifiable patient personal data
• Where data is used for audit, research, clinical trials, post-market surveillance, or commercial evidence programmes, we aim to use anonymised, aggregated, or appropriately pseudonymised datasets wherever the use case allows
• Pseudonymised datasets remain subject to governance, contractual controls, and access restrictions designed to reduce re-identification risk and limit onward use
• Sharing with healthcare, academic, pharmaceutical, medical device, or other life sciences organisations is carried out only where permitted by law, contract, controller instructions, and any applicable ethics or governance requirements

Compliance & Policies

All users must agree to our comprehensive policies:

• Terms of Use
• Acceptable Use Policy
• Privacy Policy
• Password Policy
• Accessibility Statement

Organisation-level governance (health and care)

Where a hospital, trust, or other organisation uses Patient Watch to deliver care or related services, that organisation is typically responsible for its own information governance records and approvals required by its regulatory or contractual context. Patient Watch Ltd publishes technical and security context for the service on this page to support those organisational records. It does not replace your organisation-wide Information Asset Register or local sign-off.

Support & Security Contacts

Contact information for security-related inquiries at support@patientwatch.com

---

For detailed technical documentation, project-specific due diligence, or specific security inquiries, please contact our security team.