MGP‑PulseMGP‑Pulse

Healthcare-Grade Security for Midwifery Group Practices

MGP Pulse is built from the ground up to protect sensitive pregnancy and clinical information. Every design decision from how data is stored to how staff log in prioritises security and Australian privacy compliance.

Data Protection

AES-256 Encryption for All Clinical Data

Every sensitive field in the database is individually encrypted using AES-256. Even if someone obtained direct access to the database, the clinical data would be unreadable.

Client names, contact details, and addresses
Dates of birth and estimated due dates
Clinical notes and pregnancy records
Encryption at rest and in transit (HTTPS/TLS)

Australian Data Residency

All data is stored on servers hosted in Sydney, Australia by OVH, one of the world's largest independent hosting providers. No data is transferred overseas. This satisfies APP 8 of the Australian Privacy Principles and ensures your practice's client data remains subject to Australian law.

Hosted by OVH Sydney, Australia
No international data transfers
APP 8 compliant

Automated Backups

The database is backed up automatically throughout the day. In the event of a hardware failure or data loss, recent data can be restored quickly. All backups are retained for seven days and stored within Australia.

Automated daily backups
7-day backup retention
All backups stored in Australia

Access Control

Mandatory Two-Factor Authentication

All staff logins require two-factor authentication via SMS. After entering a password, a six-digit code is sent to the staff member's registered mobile number. The code expires in five minutes and is limited to three attempts. There is no opt-out — 2FA is enforced for every account.

Role-Based Access

Staff access is controlled by a permission roles system. all staff, midwives, administrators, and system managers each have clearly defined access levels. No staff member can access data outside their assigned Midwifery Group Practice this is enforced at the database level on every query, not just in the user interface.

Automatic Session Management

Access tokens expire after 15 minutes and are refreshed silently in the background. Sessions persist for 90 days on trusted devices but can be revoked instantly by an administrator if a device is lost or a staff member leaves.

Account Lockout

After five consecutive failed login attempts, an account is locked and requires an administrator to reset it. This protects against brute-force attacks on staff credentials.

Audit Trails

7-Year Compliance Audit

Every change to a client record, pregnancy record, or event is captured in a separate audit database by database-level triggers — not application code. This means the audit trail cannot be bypassed or altered through the application. Records are retained for seven years to meet Australian healthcare record-keeping requirements.

6-Month Staff Transparency Audit

A second, more detailed audit log captures staff activity in full clinical context for the past six months. This supports internal governance and allows practice managers to review access patterns if a concern is raised.

Application-Level Logging

System events including authentication attempts, security incidents, application errors, and access activity are logged in categorised files by environment. Security events are logged separately from routine access events for faster incident triage.

Privacy Compliance

Australian Privacy Principles (APPs)

MGP Pulse is operated by A-BASE TECH AU PTY LTD (ABN: 98 691 196 782) and is designed to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles. Our privacy policy is publicly available.

  • Only data necessary for midwifery care coordination is collected
  • Data is used exclusively for clinical scheduling and care management
  • Client data is strictly isolated between different MGP practices
  • No data is shared with third parties for commercial purposes
  • Staff can only access records within their assigned practice

Notifiable Data Breaches (NDB) Scheme

MGP Pulse maintains a documented breach response procedure aligned with the Privacy Act NDB Scheme obligations. In the event of an eligible data breach, we will notify the Office of the Australian Information Commissioner (OAIC) and coordinate with affected practices to notify their clients as required by law.

Multi-Tenancy Data Isolation

MGP Pulse supports multiple independent Midwifery Group Practices on the same platform. Data isolation is enforced at the database query level using a filter on every query not through separate databases or manual filtering.

Midwives in Practice A have no technical ability to access or view data belonging to Practice B.

Infrastructure

Hosting

  • Provider: OVH (Sydney, Australia)
  • Location: All data stored and processed in Australia
  • Protocol: HTTPS/TLS on all connections

Network Security

  • 100 requests per 15 minutes per IP (rate limiting)
  • CORS policy restricts API access to authorised origins
  • Security headers enforced via Helmet.js on all API responses
  • Input validation on all endpoints to prevent injection attacks

Shared Responsibility

MGP Pulse provides the technical platform, encryption, access controls, and audit infrastructure. The MGP practice or health service is responsible for:

  • Managing which staff have accounts and keeping access lists current
  • Ensuring staff devices meet basic security requirements
  • Notifying MGP Pulse promptly if a staff member leaves or a device is lost
  • Obtaining appropriate consent from clients for data collection (as required under APP 5)

This shared responsibility model is consistent with Australian cloud service guidelines for healthcare organisations.

Security Questions or Vulnerability Disclosures

For security questions, vulnerability disclosures, or compliance enquiries, contact us directly.

A-BASE TECH AU PTY LTD
ABN: 98 691 196 782
Email: contact@mgp-pulse.com.au

Contact usPrivacy Policy