Authentication
- Staff sign in with Staff ID + 6-digit PIN. PINs are hashed (bcrypt) — never stored in plaintext.
- Brute-force protection locks an account after repeated failures.
- Session tokens are signed JWTs with a short lifetime and versioned so revocation is immediate.
Data isolation
Every record is scoped by facility. Row-level security at the database and API layers ensures a carer at facility A can never read data from facility B, even if credentials leak.
Encryption
- TLS 1.3 in transit.
- AES-256 at rest.
- All data hosted in Sydney (ap-southeast-2).
Audit
Every access, change and export is recorded in the audit log, immutable and queryable by facility managers.