Access Rio Observations stores and protects patient data across multiple secure layers. This article answers common questions about data storage, encryption, monitoring, backups, and what happens to your data when you leave the platform.
Data storage and encryption
This section covers where patient data is stored and how it is protected.
Where is patient identifiable data stored?
Patient identifiable data is stored in the following locations:
Microsoft SQL Server (MSSQL) databases within an Azure SQL Managed Instance.
Azure Service Bus temporarily, while awaiting processing. Data is removed once processed.
Database backups retained in accordance with the Access Data Retention Policy.
How is data encrypted?
All data is protected by multiple layers of encryption:
At rest: Transparent Data Encryption (TDE) is applied to all databases using service managed keys.
In transit: All data transferred internally and externally is encrypted using Transport Layer Security (TLS), minimum TLS 1.2. This includes mobile app to server, server to database, and microservice to microservice communication.
Does the mobile app store any data offline on the device?
Yes. To support offline working, the mobile app caches patient demographics, inpatient admission details, and observations on the device. All cached data is encrypted at rest using native iOS and Android encryption standards. The application is intended for use on Trust managed devices with Mobile Device Management (MDM) controls in place, including remote wipe capability.
Where are data centres located?
All data is stored within UK sovereign regions. The primary data store is located in the UK South Azure region, with UK West acting as the paired backup region.
Security testing and infrastructure
This section covers penetration testing and the security functions provided by Cloudflare.
Has the application undergone penetration testing?
Yes. Access Rio Observations is regularly penetration tested by an independent security firm. Test results, including retest summaries, are available to customers on request. Testing covers Open Web Application Security Project (OWASP) vulnerabilities, tenant isolation, and infrastructure security.
What is Cloudflare's role in the infrastructure?
Cloudflare acts as a reverse proxy, providing the following security functions:
Web Application Firewall (WAF) inspection and filtering of malicious traffic.
Rate limiting protection against brute force and Distributed Denial of Service (DDoS) attacks.
TLS termination Cloudflare decrypts traffic for WAF inspection, then re-encrypts before forwarding to the application servers. No message body data is stored by Cloudflare. Metadata logs are retained for a maximum of four hours.
Can Access Group support staff view patient data?
Access Group support staff can access patient data where necessary to investigate issues or maintain the system. Access is tightly controlled through Azure Privileged Identity Management (PIM) staff must request access for a specific reason, are granted access for a limited time only, and all access is fully audited. Vetting standards for support staff are consistent with those applied to engineers with access to customer Rio systems.
Logging, monitoring and backups
This section covers how the platform is monitored, log retention periods, and backup arrangements.
What monitoring and logging does the platform use?
Access Rio Observations uses Azure Application Insights for application level logging, monitoring, and performance metrics. Infrastructure level logs are stored in Azure Log Analytics workspaces and Azure Activity Logs. All logs are immutable and tamper evident.
How long are logs retained?
Performance and diagnostic logs are retained for 90 days. All efforts are made to exclude personally identifiable information (PII) from application diagnostic logs. Privileged access audit logs are also retained for 90 days by default.
Can we request extended log retention for security purposes?
Log retention is managed at the infrastructure level. Currently, customer specific retention periods cannot be configured independently. All security relevant logs are retained for 90 days as standard.
Are backups geographically redundant?
Yes. All backups are stored in UK based Azure storage accounts. The primary store is UK South; UK West serves as the paired backup region.
What are the disaster recovery targets for the platform?
Recovery Point Objective (RPO) the maximum acceptable data loss: 15 minutes.
Recovery Time Objective (RTO) the maximum acceptable time to restore service: eight hours.
What happens to my data when we leave the platform?
Upon offboarding, all customer data is removed from active SQL databases. Diagnostic logs containing any residual PII will filter out within the 90 day retention window. Due to the multi tenant nature of the system, data removal from historic encrypted backups follows a 12 month schedule this is explicitly documented for General Data Protection Regulation (GDPR) compliance. Full details are provided in the Access Exit Policy.
