Where is your data stored?

The WeGuide databases are hosted in Australia (Sydney) on Amazon Web Services (AWS) via Heroku. The data is hosted in a Private Space, which is a network isolated group of apps and data services with a dedicated runtime environment.

Is participant data encrypted?

All participant data is encrypted at rest with AES-256, block-level storage encryption within the WeGuide databases.

Is the participant data made anonymous?

All identifiable participant data is encrypted at rest with AES-256, block-level storage encryption within the WeGuide databases. 

Clinicians who have been provided with a username/login can see identifiable data from their participants.

In case you integrate with our EMR system, are you retrieving data from our EMR system and storing this in your databases?

WeGuide will store a minimum set of participant details in order to make sure we can send the right questionnaires, to the right participant via the right medium. At a minimum, we need to store their participant identification number, mobile number, e-mail address and appointment(s) date & time.

In case you integrate with our EMR system, are you saving data from WeGuide into our EMR system?

No, WeGuide is currently not saving any data into the EMR system, we are only retrieving data. 

If we stop using WeGuide what happens to the data?

WeGuide processes the data on behalf of healthcare organisations. Healthcare organisations retain ownership of all information and data that is communicated with and via the WeGuide application. If the contract between WeGuide and the healthcare organisations has ended, all data from this organisation and the associated participants will be deleted from the system if no additional data processing agreement is in place.

What if participants want their data removed from the WeGuide system?

Do you want your data to be removed from WeGuide? Then you can always indicate this to the person responsible for your data: your own care organization. You can also contact us and we will be happy to tell you how and where you can submit that request.

How often is data backed up?

Backups occur every day.

Are your employees aware and trained on Cybersecurity?

All employees receive Cybersecurity training that is frequently refreshed. 

Yes, business continuity and disaster recovery plans are in place and can be shared upon request.

Does WeGuide have any ISO certification? 

WeGuide Pty Ltd is ISO 27001 certified.

What security standards do your datacentres comply with?

Our datacentres comply with the major global security standards, creating a secure platform to keep your data safe. This includes compliance with ISO 27001, ISO 27017, ISO 27018 and SOC2. Our platform follows the Australian Signals Directorate (ASD) Information Security Manual, the Open Web Application Security Project (OWASP) Healthcare guidelines and the Australian Privacy Act 1988.

What kind of security practices are in place to protect our data?

Intrusion detection systems and other systems continuously check for errors and prevent hackers from accessing the system.

The application runs on protected servers with only necessary services and ports open to the outside world.

Web traffic is only permitted over TLS 1.2 and newer.

A dedicated firewall ensures that no unwanted connections can be made to any of our servers.

We use virtual private clouds for each separate environment (testing, acceptance and production) to reduce risks.

Users have individual accounts and strong passwords are required.

Access to data is determined by the organisation administrator and can be granted per user, preventing unauthorized access to data

Sensitive data is being encrypted at rest.

Application code uses modern techniques to minimize the risk of SQL injection, cross site scripting (XSS) and other common attacks.

Audit logs provide a fine-grained overview of data access and modifications.

The maximum number of incorrect login attempts is limited.

The duration of login sessions is limited.

What about intellectual property? What belongs to whom?

The WeGuide software is the intellectual property of WeGuide Pty Ltd, a 100% subsidiary company of Curve Tomorrow Pty Ltd.

WeGuide processes the data on behalf of healthcare organisations. Healthcare organisations retain ownership of all information and data that is communicated with and via the WeGuide application. The healthcare organisation provides WeGuide Pty Ltd with access to the data to deliver the services as provided by WeGuide.

How does the consent process work within WeGuide?

• Healthcare organisations have control over the consent process, through deciding whether a participant is opted in or opted out.

• Prior to providing their data, participants need to agree with our Terms & Conditions, outlining their rights in regards to data and privacy. The conditions are drafted to comply with all Australian healthcare regulations, including the Australian Privacy Principles (1988). Participants (or their legal guardian) are asked to provide their informed consent to this. 

• Participants (or their legal guardian) that receive communication from WeGuide, on behalf of the healthcare organisation, can at any time opt-out of receiving communication, by replying to the message they have received via e-mail or SMS. After opting-out, the patient won’t receive any more communication from WeGuide.

Any information about agreements or proposed agreements with 3rd parties – so that would be Curve tomorrow and Amazon, and any others.

• WeGuide is a wholly-owned subsidiary of Curve Tomorrow Pty Ltd, which is a software development company based at the Royal Children’s Hospital

• WeGuide has an ongoing contract with Heroku which is a cloud platform as a service. Heroku provides WeGuide fully configured, secure and operational Amazon Web Services (AWS) hosted environments, based in Sydney.