Mealward
Trust and securityHosted in Australia

Trust and security at Mealward

We build software for aged care. We treat resident data, dietary safety, and operational continuity as our highest priority. This page documents how.

Need a one-page summary to circulate? Printable handout →

Section 2

Data residency + sub-processors

Resident data stays in Australia. Below is the full list of services that touch any part of the Mealward system.

Hosted in Australia
Primary database and authentication run on Supabase, Sydney region (ap-southeast-2). All resident and clinical data is stored at rest in Australia.
ap-southeast-2
Sub-processorPurposeLocationDataReference
VercelApplication hosting + CDNUS / AU edgeRequest metadata, cached static assetsSecurity
SupabasePrimary database + authSydney (ap-southeast-2)All application + resident dataSecurity
SentryError monitoringUnited StatesAnonymised error payloads + stack tracesSecurity
UpstashRate-limit cache (Redis)SydneyIP + user-id rate-limit counters (ephemeral)Security
Google WorkspaceCorporate email + docsUnited StatesInternal company correspondenceSecurity

Section 3

Security controls

Controls in place today across infrastructure, application, and operations.

TLS 1.2+ everywhere

All traffic encrypted in transit; HSTS enforced.

Encryption at rest (AES-256)

Database and backups encrypted by Supabase.

MFA on all admin accounts

Mandatory for every employee with production access.

Row-Level Security on every table

Postgres RLS policies enforce per-organisation isolation at the database layer.

Audit log of every mutation

7-year retention configurable per organisation.

Nightly automated backups

90-day retention; restore tested quarterly.

Dependabot vulnerability scanning

Weekly scans across all repositories.

Sentry error monitoring

Anonymised payloads; no PII in stack traces.

Cloudflare WAF + DDoS protection

Edge filtering on all public endpoints.

ACSC Essential 8 alignment

Target Maturity Level 1 now; Maturity Level 2 within 12 months.

Section 4

Compliance

Australian regulatory frameworks we align to today, plus what is on our certification roadmap.

Australian Privacy Act 1988 + APPs 1–13
Aligned
Operational policies map to each Australian Privacy Principle.
Notifiable Data Breaches scheme
Aligned
Documented response runbook; OAIC notification within 72 hours of assessment.
Aged Care Act 2024 + Statement of Rights (s23)
Aligned
We are not an aged-care provider. We support registered providers in demonstrating practices compatible with the Statement of Rights and the Strengthened Quality Standards. See the Statement of Rights mapping below.
ISO 27001 / SOC 2
Roadmap
On our roadmap; targeting audit Q4 2027.

Section 5

Statement of Rights mapping

The Aged Care Act 2024 (s23) places six categories of rights at the centre of funded aged care. Registered providers must demonstrate that their practices are compatible with each. Mealward is not an aged-care provider, but here is how the system supports providers in meeting that obligation.

Authoritative source: the Aged Care Act 2024 (commenced 1 November 2025) and the Department of Health, Disability and Ageing’s rights overview. This page is a working summary; final compliance accountability sits with the registered provider.

Live in v1 on mealward.comV2 previewships in the next release; live today on next.mealward.com
Independence, choice and control
s23(2)(a)–(d)
  • Higher Everyday Living (HEDL) opt-ins (drinks, breakfast, Wi-Fi, Foxtel) are recorded against the resident profile, not held in a manager’s spreadsheet, and roll into the daily charge automatically.
  • Per-resident dislikes captured separately from clinical allergens, so personal preference is honoured without losing safety signal.V2 preview
  • Standing breakfast / lunch / dinner orders editable by care staff; the kitchen receives them automatically each morning.V2 preview
Equitable access
s23(2)(e)–(g)
  • Single resident record per facility — no duplicate clipboards by shift, by wing, or by language.
  • Open-text dietary, cultural, and religious preference fields on the resident profile, so context is not lost when staff change shifts.

Roadmap: Structured cultural / language metadata, and surfacing those preferences on every order screen, is on our roadmap.

Safety and quality
s23(2)(h)–(k)
  • Allergens captured as structured dietary tags; resident profiles surface them prominently on the residents list and on every order screen.
  • Resident-absence flow keeps meal counts honest — no phantom trays, no missed meals — and is auditable per shift.
  • IDDSI fluid (0–4) and texture (3–7) levels exposed on the order screen, kitchen ticket, and PCA print-out so staff cannot serve a non-compliant tray by accident.V2 preview
  • Clinical "watch out" notes (aspiration, choking, anaphylaxis, diabetic) render with high-contrast warnings on every surface that touches that resident.V2 preview
Privacy
s23(2)(l)–(n)
  • Row-level security in the database scopes every read and write to the resident’s facility and the staff member’s role.
  • Audit log table records inserts, updates, and deletes against clinical and resident records for review by the registered provider.
  • All resident data hosted in Sydney (ap-southeast-2); no resident data leaves Australia.
Communication and feedback
s23(2)(o)–(q)
  • Day-75 trial-end alert drafts a family message providers can copy into their existing communications tool, creating a written record.
  • Family contact captured on every resident profile; available to care staff alongside clinical context.
  • Feedback / complaint flow on our roadmap; in v1 providers should continue to use their existing complaints management system as required by the Act.
Support, advocacy and connection
s23(2)(r)–(t)
  • Family contact field is the v1 anchor for the registered-supporter relationship under the new Act.
  • Standing meal preferences travel with the resident, so connection to comfort foods is not lost when staff change shifts or wings.V2 preview

Roadmap: A first-class "registered supporter" record (with My Aged Care alignment) is on our roadmap.

Section 6

Policies + documents

Legal and operational documents are available on request and linked below.

Privacy Policy
How we collect, use, and protect personal information.
Terms of Service
The agreement governing use of Mealward.
Data Processing Agreement
Our role as data processor on your behalf.
Service Level Agreement
Uptime commitments and incident response targets.

Section 7

Reporting a vulnerability

Security researchers — we appreciate your help keeping aged-care data safe.

Email us

Send vulnerability reports to security@mealward.com. Please include reproduction steps and impact.

90-day responsible disclosure

We commit to acknowledging reports within 3 business days and remediating valid issues within 90 days, in line with industry practice.

No paid bug bounty

We do not currently operate a paid bug bounty programme. We do publicly credit researchers (with permission) for valid reports.

Section 8

Contact

Talk to the people behind Mealward.

Support
support@mealward.com
Legal
legal@mealward.com
Owner
Luke Ferguson, sole trader (ABN 17 977 307 913). hello@mealward.com

Last reviewed May 2026. This page is informational and does not replace contractual terms. Questions? Email legal@mealward.com.