Trust & Security

Infrastructure

OnRounds is hosted entirely on Microsoft Azure, one of the world's most widely certified cloud platforms. We use the following Azure services, all provisioned within the Australia East (Sydney) region:

• Azure App Service — hosts both the Next.js frontend and the Node.js/Express backend
• Azure Cosmos DB — stores all application data including messages, roles, teams, and shift records
• Azure Blob Storage — stores images shared within clinical communications, accessed via time-limited Shared Access Signature (SAS) tokens

By hosting all infrastructure within Australia, we ensure complete data sovereignty. No data is replicated to, processed in, or transmitted through servers outside of Australia.

Authentication and Access Control

OnRounds delegates all authentication to Microsoft Entra ID (formerly Azure Active Directory). This provides enterprise-grade identity management including single sign-on (SSO) with your organisation's existing Microsoft 365 or Azure AD tenant, support for multi-factor authentication (MFA) as configured by your organisation, and centralised account provisioning and deprovisioning by your IT administrators.

OnRounds does not store passwords. Your authentication session is managed entirely by Microsoft's identity platform, and access tokens are validated on every API request.

Encryption

In Transit

All connections to OnRounds are encrypted with TLS (Transport Layer Security). This applies to the web application, the API, and push notification delivery. Unencrypted HTTP requests are automatically redirected to HTTPS.

At Rest

All data stored in Azure Cosmos DB and Azure Blob Storage is encrypted at rest using Azure-managed encryption keys. This is enabled by default on all Azure storage services and requires no user configuration.

Push Notification Security

OnRounds delivers push notifications using the Web Push protocol with VAPID (Voluntary Application Server Identification) keys. This is a standards-based approach that does not rely on third-party push notification services. Notification payloads are encrypted end-to-end between the OnRounds server and your browser using the keys exchanged during subscription. Push subscriptions are stored per device and are automatically invalidated when they expire or become unreachable.

Progressive Web App Security

OnRounds is delivered as a Progressive Web App (PWA), which runs within your browser's security sandbox. This means the application is subject to the same origin policy and browser security protections as any web application, it does not require installation from an app store and does not request access to device features beyond what is needed (camera for image sharing, notifications), and all code is delivered over HTTPS from our verified domain.

Data Sharing

Docworks does not sell, rent, or share your data with any third party for marketing, advertising, or analytics purposes. The only third-party infrastructure provider involved is Microsoft Azure, which acts as a data processor under enterprise service agreements and does not access your data for its own purposes.

Compliance

OnRounds is designed to support compliance with the Australian Privacy Principles under the Privacy Act 1988 (Cth). Our infrastructure choices — Australian-only hosting, enterprise authentication, full encryption, and comprehensive audit trails — are specifically intended to meet the expectations of healthcare organisations and their regulatory obligations.

For detailed information about how we handle personal data, please refer to our Privacy Policy.

Questions

If you have questions about OnRounds' security practices or would like to discuss our approach with your IT or information security team, please get in touch.