Provida handles sensitive health information. We've built our infrastructure, processes, and team practices around keeping your data safe and secure.
This page gives you a plain-language overview of how we protect your data. You can also read our Privacy Policy or download the Security Statement (PDF).
Provida is hosted on Amazon Web Services (AWS), in their Sydney data centre. All client data is processed and stored there - it stays within the AU/NZ region. If we ever change that, we'll notify all customers before it happens.
Each customer's data is held in its own separate database. Your data is isolated from other customers' data at the database level - not just by application logic, but by the underlying infrastructure.
Your data is automatically backed up every day. We keep 35 days of full backups, so if something goes wrong, we can restore to any point within that window. Backups are stored on AWS S3 with disk encryption and automatically deleted after 35 days.
All data is encrypted in transit and at rest. HTTPS is enforced across all Provida sites and API endpoints. Database backup storage uses disk encryption. SSL certificates are renewed automatically.
Access to production systems is restricted to authorised Provida staff. We require two-factor authentication for all production access, and follow the principle of least privilege - people get access only to what they need for their role.
We keep audit logs of application interactions and monitor them for unusual activity. The logs are stored in a tamper-resistant system and retained for 90 days. Access to client data by Provida staff is only permitted for legitimate business purposes - such as troubleshooting a support issue you've raised.
Generic shared administrator accounts are not used. Every production account is tied to a named individual.
All Provida employees and contractors go through background checks before they start. Everyone signs a confidentiality agreement, and that obligation continues after they leave. When someone leaves Provida, all of their access is revoked on or before their last day.
Provida is regularly assessed by independent security firms. Our assessments cover:
Findings are tracked, resolved, and verified. We also run automated penetration testing and review application endpoints against the OWASP Top Ten as part of our ongoing development process.
Want to see the latest assessment report? Contact us and we'll share it with you directly.
We monitor our systems continuously. If a security or privacy incident confirms that you or your data has been affected, we'll notify you:
Provida's CTO coordinates all security incident response. You'll hear from us promptly, with clear information about what happened and what we're doing about it.
Provida is a software provider, not a data broker. Your data stays in our AWS environment and is never sold, shared with third parties, or used for any purpose beyond delivering the service you've signed up for.
You can request a copy of your data at any time. When you end your subscription, we delete all of your data following termination of the contract.
Provida complies with the New Zealand Privacy Act 2020. For full details on how we collect, use, disclose, and protect personal information, see our Privacy Policy.
Get in touch and we'll share our most recent independent security assessment. We're happy to walk you through it if that's useful.
If you have a security concern, suspect something isn't right, or need to report an issue - contact us now. We treat security reports seriously and will respond as soon as possible.