Trust and securityHosted in Sydney (ap-southeast-2)Privacy Act + APP aligned

Resident data, taken seriously.

Mealward is a meal operations platform — resident data, integrations, and audit evidence share the same security bar. This page documents how we protect both floor staff and IT teams.

AU only
Data residency
AES-256
Encryption at rest
API
Keys + webhooks
7 yrs
Audit retention

Need a one-page summary to circulate? Printable handout →

Section 2

Data residency + sub-processors

Resident data stays in Australia. Below is the full list of services that touch any part of the Mealward system.

Hosted in Australia

Primary database and authentication run on Supabase, Sydney region (ap-southeast-2). All resident and clinical data is stored at rest in Australia.

ap-southeast-2

Vercel

Application hosting + CDN

US / AU edge
Request metadata, cached static assets
View Vercel security page

Supabase

Primary database + auth

Sydney (ap-southeast-2)
All application + resident data
View Supabase security page

Sentry

Error monitoring

United States
Anonymised error payloads + stack traces
View Sentry security page

Upstash

Rate-limit cache (Redis)

Sydney
IP + user-id rate-limit counters (ephemeral)
View Upstash security page

Google Workspace

Corporate email + docs

United States
Internal company correspondence
View Google Workspace security page

Section 3

Security controls

Controls in place today across infrastructure, application, and operations.

TLS 1.2+ everywhere

All traffic encrypted in transit; HSTS enforced.

Encryption at rest (AES-256)

Database and backups encrypted by Supabase.

MFA on all admin accounts

Mandatory for every employee with production access.

Row-Level Security on every table

Postgres RLS policies enforce per-organisation isolation at the database layer.

Audit log of every mutation

7-year retention configurable per organisation.

Nightly automated backups

90-day retention; restore tested quarterly.

Dependabot vulnerability scanning

Weekly scans across all repositories.

Sentry error monitoring

Anonymised payloads; no PII in stack traces.

Cloudflare WAF + DDoS protection

Edge filtering on all public endpoints.

Webhook secrets encrypted at rest

Per-endpoint secrets encrypted; HMAC-SHA256 on every outbound event.

API keys hashed — shown once

Facility-scoped keys; full value never stored after creation. Revoke instantly.

Per-resident AI consent + data export

APP-aligned controls for AI processing, retention config, and resident data export.

ACSC Essential 8 alignment

Target Maturity Level 1 now; Maturity Level 2 within 12 months.

Section 4

Compliance

Australian regulatory frameworks we align to today, plus what is on our certification roadmap.

Australian Privacy Act 1988 + APPs 1–13

Aligned

Operational policies map to each Australian Privacy Principle.

Notifiable Data Breaches scheme

Aligned

Documented response runbook; OAIC notification within 72 hours of assessment.

NACA (New Aged Care Act, commenced 1 November 2025) + Statement of Rights (s23)

Aligned

We are not an aged-care provider. We support registered providers in demonstrating practices compatible with the Statement of Rights and the Strengthened Quality Standards. See the Statement of Rights mapping below.

ISO 27001 / SOC 2

Roadmap

On our roadmap; targeting audit Q4 2027.

Section 5

Statement of Rights mapping

The NACA (s23) places six categories of rights at the centre of funded aged care. Registered providers must demonstrate that their practices are compatible with each. Mealward is not an aged-care provider, but here is how the system supports providers in meeting that obligation.

Authoritative source: the NACA (commenced 1 November 2025) and the Department of Health, Disability and Ageing’s rights overview. This page is a working summary; final compliance accountability sits with the registered provider.

Live in v1 on mealward.com.aulive in current release

Independence, choice and control

s23(2)(a)–(d)
  • HELF (Higher Everyday Living Fee) opt-ins — drinks, premium breakfast, Wi-Fi, Foxtel — are recorded per-resident with written agreement tracking, delivery records, and automatic charge rollup. Meets the Aged Care Act 2024 requirement that HELF services be itemised and demonstrably delivered.
  • Per-resident dislikes captured separately from clinical allergens, so personal preference is honoured without losing safety signal.
  • Meal preferences and dislikes travel with the resident across shifts and wings so comfort foods and refusals are never lost.

Equitable access

s23(2)(e)–(g)
  • Single resident record per facility — no duplicate clipboards by shift, by wing, or by language.
  • Open-text dietary, cultural, and religious preference fields on the resident profile, so context is not lost when staff change shifts.

Roadmap: Structured cultural / language metadata, and surfacing those preferences on every order screen, is on our roadmap.

Safety and quality

s23(2)(h)–(k)
  • Allergens captured as structured dietary tags; resident profiles surface them prominently on the residents list and on every order screen.
  • Resident-absence flow keeps meal counts honest — no phantom trays, no missed meals — and is auditable per shift.
  • IDDSI fluid (0–4) and texture (3–7) levels exposed on the order screen, kitchen ticket, and PCA/GSO print-out so staff cannot serve a non-compliant tray by accident.
  • Clinical notes (swallowing risk, choking, feeding assistance level) are captured on the resident profile and visible on the order screen alongside IDDSI levels.

Privacy

s23(2)(l)–(n)
  • Row-level security in the database scopes every read and write to the resident’s facility and the staff member’s role.
  • Audit log table records inserts, updates, and deletes against clinical and resident records for review by the registered provider.
  • All resident data hosted in Sydney (ap-southeast-2); no resident data leaves Australia.

Communication and feedback

s23(2)(o)–(q)
  • Day-75 trial-end alert drafts a family message providers can copy into their existing communications tool, creating a written record.
  • Family contact captured on every resident profile; available to care staff alongside clinical context.
  • Feedback / complaint flow on our roadmap; in v1 providers should continue to use their existing complaints management system as required by the Act.

Support, advocacy and connection

s23(2)(r)–(t)
  • Family contact field is the v1 anchor for the registered-supporter relationship under the new Act.
  • Meal preferences (likes, dislikes, cultural notes) travel with the resident so connection to comfort foods is never lost when staff change shifts or wings.

Roadmap: A first-class "registered supporter" record (with My Aged Care alignment) is on our roadmap.

Section 6

Policies + documents

Legal and operational documents are available on request and linked below.

Section 7

Reporting a vulnerability

Security researchers — we appreciate your help keeping aged-care data safe.

Email us

Send vulnerability reports to [email protected]. Please include reproduction steps and impact.

90-day responsible disclosure

We commit to acknowledging reports within 3 business days and remediating valid issues within 90 days, in line with industry practice.

No paid bug bounty

We do not currently operate a paid bug bounty programme. We do publicly credit researchers (with permission) for valid reports.

Section 8

Contact

Talk to the people behind Mealward.

Owner

Luke Ferguson, ABN 17 977 307 913. [email protected]

Last reviewed June 2026. This page is informational and does not replace contractual terms. Questions? Email [email protected].