Trust · Security
Clinic Data Security
Security in operational tooling is mostly about doing fewer things — collecting less, exposing less, and isolating each clinic's work from every other clinic's work.
Reminders notify everyone. NoShowFlow shows who actually needs attention.
Transport and storage
- All uploads occur over HTTPS
- Data at rest is encrypted in the managed Postgres backend
- Access is gated by row-level security policies, not by application code alone
Multi-tenant isolation
Each upload is bound to an analysis session. Cleanup, regeneration, and report rendering all operate against that session ID. One clinic cannot trigger an action that affects another clinic's data — this is enforced at the RPC and policy layer.
Minimum data by design
NoShowFlow does not require diagnoses, clinical notes, billing identifiers, or full patient identifiers. The fields we ask for are the fields needed to rank a schedule: appointment timing, type, lead time, and an anonymous patient reference.
Operator responsibilities
- Export only the columns required for analysis
- Use an anonymous patient reference (e.g. internal record number) rather than full names where possible
- Treat the printed report as a clinical document and store it accordingly