Trust and securityHosted in Sydney (ap-southeast-2)Privacy Act + APP aligned

Resident data, taken seriously.

We build software for aged care. Resident data, dietary safety, and operational continuity are our highest priority. This page documents how.

AU only

Data residency

AES-256

Encryption at rest

7 yrs

Audit retention

99.9%

SLA target

Need a one-page summary to circulate? Printable handout →

Section 2

Data residency + sub-processors

Resident data stays in Australia. Below is the full list of services that touch any part of the Mealward system.

Hosted in Australia

Primary database and authentication run on Supabase, Sydney region (ap-southeast-2). All resident and clinical data is stored at rest in Australia.

ap-southeast-2

Sub-processor	Purpose	Location	Data	Reference
Vercel	Application hosting + CDN	US / AU edge	Request metadata, cached static assets	Security
Supabase	Primary database + auth	Sydney (ap-southeast-2)	All application + resident data	Security
Sentry	Error monitoring	United States	Anonymised error payloads + stack traces	Security
Upstash	Rate-limit cache (Redis)	Sydney	IP + user-id rate-limit counters (ephemeral)	Security
Google Workspace	Corporate email + docs	United States	Internal company correspondence	Security

Section 3

Security controls

Controls in place today across infrastructure, application, and operations.

TLS 1.2+ everywhere

All traffic encrypted in transit; HSTS enforced.

Encryption at rest (AES-256)

Database and backups encrypted by Supabase.

MFA on all admin accounts

Mandatory for every employee with production access.

Row-Level Security on every table

Postgres RLS policies enforce per-organisation isolation at the database layer.

Audit log of every mutation

7-year retention configurable per organisation.

Nightly automated backups

90-day retention; restore tested quarterly.

Dependabot vulnerability scanning

Weekly scans across all repositories.

Sentry error monitoring

Anonymised payloads; no PII in stack traces.

Cloudflare WAF + DDoS protection

Edge filtering on all public endpoints.

ACSC Essential 8 alignment

Target Maturity Level 1 now; Maturity Level 2 within 12 months.

Section 4

Compliance

Australian regulatory frameworks we align to today, plus what is on our certification roadmap.

Australian Privacy Act 1988 + APPs 1â€“13

Aligned

Operational policies map to each Australian Privacy Principle.

Notifiable Data Breaches scheme

Aligned

Documented response runbook; OAIC notification within 72 hours of assessment.

Aged Care Act 2024 / NACA (commenced 2025) + Statement of Rights (s23)

Aligned

We are not an aged-care provider. We support registered providers in demonstrating practices compatible with the Statement of Rights and the Strengthened Quality Standards. See the Statement of Rights mapping below.

ISO 27001 / SOC 2

Roadmap

On our roadmap; targeting audit Q4 2027.

Section 5

Statement of Rights mapping

The NACA (s23) places six categories of rights at the centre of funded aged care. Registered providers must demonstrate that their practices are compatible with each. Mealward is not an aged-care provider, but here is how the system supports providers in meeting that obligation.

Authoritative source: the NACA (commenced 1 November 2025) and the Department of Health, Disability and Ageing’s rights overview. This page is a working summary; final compliance accountability sits with the registered provider.

Live in v1 on mealward.com.auV2 previewships in the next release; live today on next.mealward.com.au

Independence, choice and control

s23(2)(a)â€“(d)

Higher Everyday Living (HEDL) opt-ins (drinks, breakfast, Wi-Fi, Foxtel) are recorded against the resident profile, not held in a manager’s spreadsheet, and roll into the daily charge automatically.
Per-resident dislikes captured separately from clinical allergens, so personal preference is honoured without losing safety signal.V2 preview
Standing breakfast / lunch / dinner orders editable by care staff; the kitchen receives them automatically each morning.V2 preview

Equitable access

s23(2)(e)â€“(g)

Single resident record per facility — no duplicate clipboards by shift, by wing, or by language.
Open-text dietary, cultural, and religious preference fields on the resident profile, so context is not lost when staff change shifts.

Roadmap: Structured cultural / language metadata, and surfacing those preferences on every order screen, is on our roadmap.

Safety and quality

s23(2)(h)â€“(k)

Allergens captured as structured dietary tags; resident profiles surface them prominently on the residents list and on every order screen.
Resident-absence flow keeps meal counts honest — no phantom trays, no missed meals — and is auditable per shift.
IDDSI fluid (0–4) and texture (3–7) levels exposed on the order screen, kitchen ticket, and PCA/GSO print-out so staff cannot serve a non-compliant tray by accident.V2 preview
Clinical "watch out" notes (aspiration, choking, anaphylaxis, diabetic) render with high-contrast warnings on every surface that touches that resident.V2 preview

Privacy

s23(2)(l)â€“(n)

Row-level security in the database scopes every read and write to the resident’s facility and the staff member’s role.
Audit log table records inserts, updates, and deletes against clinical and resident records for review by the registered provider.
All resident data hosted in Sydney (ap-southeast-2); no resident data leaves Australia.

Communication and feedback

s23(2)(o)â€“(q)

Day-75 trial-end alert drafts a family message providers can copy into their existing communications tool, creating a written record.
Family contact captured on every resident profile; available to care staff alongside clinical context.
Feedback / complaint flow on our roadmap; in v1 providers should continue to use their existing complaints management system as required by the Act.

Support, advocacy and connection

s23(2)(r)â€“(t)

Family contact field is the v1 anchor for the registered-supporter relationship under the new Act.
Standing meal preferences travel with the resident, so connection to comfort foods is not lost when staff change shifts or wings.V2 preview

Roadmap: A first-class "registered supporter" record (with My Aged Care alignment) is on our roadmap.

Section 6

Policies + documents

Legal and operational documents are available on request and linked below.

How we collect, use, and protect personal information.

The agreement governing use of Mealward.

Data Processing Agreement

Our role as data processor on your behalf.

Service Level Agreement

Uptime commitments and incident response targets.

Section 7

Reporting a vulnerability

Security researchers â€” we appreciate your help keeping aged-care data safe.

Email us

Send vulnerability reports to [email protected]. Please include reproduction steps and impact.

90-day responsible disclosure

We commit to acknowledging reports within 3 business days and remediating valid issues within 90 days, in line with industry practice.

No paid bug bounty

We do not currently operate a paid bug bounty programme. We do publicly credit researchers (with permission) for valid reports.

Section 8

Contact

Talk to the people behind Mealward.

Support

[email protected]

Legal

[email protected]

Owner

Luke Ferguson, sole trader (ABN 17 977 307 913). [email protected]

Sub-processor

Purpose

Location

Data

Reference

Vercel

Application hosting + CDN

US / AU edge

Request metadata, cached static assets

Security

Supabase

Primary database + auth

Sydney (ap-southeast-2)

All application + resident data

Security

Sentry

Error monitoring

United States

Anonymised error payloads + stack traces

Security

Upstash

Rate-limit cache (Redis)

Sydney

IP + user-id rate-limit counters (ephemeral)

Security

Google Workspace

Corporate email + docs

United States

Internal company correspondence

Security