Your patients' data is safe with us

Australian data sovereignty

Every byte of patient data stored in Qliva lives in Australia — specifically AWS ap-southeast-2 (Sydney). We will never move patient data offshore. This is a hard architectural constraint, not a policy that could change with future business decisions.

Encryption everywhere

All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. This applies to patient records, pathology results, prescriptions, clinical notes, and every other piece of sensitive information in the platform.

Strict clinic isolation

Qliva is a multi-tenant platform — multiple clinics share the same infrastructure but their data is completely isolated. Every database table enforces Row Level Security (RLS) policies at the database layer, so even a software bug cannot expose one clinic's data to another.

Role-based access control

Three distinct access levels — practitioners, clinic administrators, and patients — each see only what they need. Practitioners cannot access admin billing functions. Patients can only see their own records. All access is enforced server-side, not just hidden in the UI.

Full audit trail

Every significant action in Qliva is logged — who did what, when, and from where. Prescription creation, patient record access, pathology requests, and administrative changes all leave a permanent audit trail that cannot be modified.

Rate limiting & abuse prevention

All public-facing endpoints and sensitive API routes are protected by rate limiting to prevent brute-force attacks, credential stuffing, and automated abuse. Single-use pathology form links expire after 30 days and can only be opened once.

Continuous monitoring

Qliva uses Sentry for real-time error monitoring and UptimeRobot for external uptime monitoring. Any system error or downtime triggers an immediate alert. Our public status page is always available at stats.uptimerobot.com/4vBJSgJv7v.

Secure transactional email

All system emails — appointment reminders, pathology form links, password resets, and practitioner invitations — are sent via Resend using a verified Australian domain. This prevents spoofing and ensures reliable delivery.

Qliva is designed to comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Sensitive health information is only collected with explicit patient consent, stored securely, and never shared with third parties without authorisation.

In the event of an eligible data breach, Qliva supports clinic obligations under the Notifiable Data Breaches scheme — including breach identification, assessment, and notification procedures.

All prescriptions generated in Qliva include the prescriber's AHPRA registration number and are validated against AHPRA format requirements. The platform enforces practitioner sign-off before any clinical document is shared with a patient.

Clinical decision support features in Qliva are designed to comply with TGA Software as a Medical Device (SaMD) guidelines. AI-generated content is always presented as a draft for practitioner review — it is never automatically applied to a patient record.

Patient records, clinical notes, prescriptions, and pathology results are retained for a minimum of 7 years in line with Australian health records legislation. All deletions in Qliva are soft deletes — records are marked as deleted but never permanently removed.