How does Tend handle data?

We take the security and privacy of your health information very seriously, and this is an overview of some of the measures we take when dealing with your sensitive health information.

This document describes how your data moves from you - via the Tend app - to us and into some of the core systems we use to provide your healthcare.

How is my data stored? 

Documents you upload through the Tend app are stored using Amazon Web Services (AWS), a leading cloud infrastructure provider. Our primary infrastructure is hosted in the AWS US West (Oregon) region, with additional replicas in the AWS Asia Pacific (Sydney) region for disaster recovery. 

A New Zealand based AWS region has only recently existed, and we prefer to be a small fish in a very big pond, not one of the bigger fish in a small, new and as yet unproven pond.

Your documents are stored in private, dedicated storage that is not publicly accessible, and not accessible to AWS staff or other parties.

How is my data protected and encrypted? 

Your documents are encrypted both in transit (while being uploaded) using TLS encryption, and at rest (while stored) using AES-256 encryption — the same standard used by banks and government agencies.

Who can access my health information?

Access to your documents is tightly controlled:

Tend Practitioners (Doctors, Nurses and other medical staff) involved in your care can view documents relevant to your treatment. Tend Customer Experience can view some of your documents, depending on their need and role.

When surfaced in a public-facing manner, documents are accessed via time-limited encrypted links that expire automatically. For example, this is used for viewing by a Customer Experience team member, or for you to view via the app. You can only access your own documents (and those of any dependent accounts) when logged into your Tend account. No public or anonymous access to patient documents is possible. In other words, you cannot see other Tend account holder information and no other person can see yours.

Do you share my documents with third parties?

Your documents are stored using S3, Amazon’s widely-used, industry-standard secure cloud storage service. Documents are delivered through AWS CloudFront, Amazon’s secure content delivery service. 

Beyond AWS infrastructure, your uploaded documents are not shared with or stored by any other third-party software or service.

Our core patient management system is Indici, and as such, relevant clinical documents (such as lab results) may be synchronised between Indici and Tend to support your care. This is the same system your GP practice uses to manage your health records.

How long do you keep my data?

Your documents are retained securely for as long as they are needed to support your care, in line with New Zealand health information retention requirements.

Some documentation is deleted once it has been verified, for example enrolment identification documents. Other documentation is needed to be retained, for example lab results and where NZ health regulations require it.

What happens when I upload a document?

When you upload a document, the app requests a time-limited (10-minute) signed upload URL which allows upload to a space which only your account - and our backend systems - have access to. 

Other patients do not upload into the same location, and cross-location movement is not possible.

The document is uploaded directly to a temporary holding area and then moved to secure long-term storage by our backend processes.

Temporary files are automatically deleted after 7 days if not processed, however in normal cases they are automatically moved immediately.

How is your storage infrastructure secured?

Documents are stored in our AWS S3 buckets, with cross-region replication configured for disaster recovery. All buckets are configured as private with no public access at the account level, which means that even if a mistake is made and a document is marked as “publicly available”, the account level block prevents it.

How are documents accessed?

Documents are served through AWS CloudFront using cryptographically signed URLs with a sub-1-hour expiry. The app will return the authorised user a cryptographically signed URL which will stop working within 60 mins. The authenticated user (via the app) can request another url with a similar expiry if needed and if they are still logged in. This is to balance security and patient convenience.

The same process happens for designated Tend employees who are using the system via our internal systems.

Access requires authentication through AWS Cognito (our identity service). All access is role-based — patients can access their own documents, and practitioners can access documents for patients in their care.

Do you keep a record of changes or access to my data?

All document changes are logged with timestamps. Document metadata is stored in a PostgreSQL database with full audit history. Audit logs are actively monitored in real-time using modern intrusion detection processes and software.

If you have any further questions about how your data is handled, please don’t hesitate to ask. 

You are also welcome to make a formal request under the Health Information Privacy Code or the Privacy Act 2020, and we will respond within the required timeframes.