Secure authentication
ResFlow uses industry-standard authentication with encrypted sessions, email verification for new accounts, and password requirements designed for research environments. Access to the platform requires a verified account and an approved research site.
Organisation-level data isolation
Each research site operates in its own isolated workspace. Database row-level security ensures participants, studies, bookings, visits, and operational logs from one organisation cannot be accessed by users from another organisation.
Role-based permissions
Site owners, coordinators, investigators, and monitors receive permissions appropriate to their responsibilities. Sensitive actions such as team management, protocol configuration, and booking management are restricted to authorised roles.
Audit logging
Operational changes — including participant updates, bookings, protocol changes, team actions, and study log activity — are recorded in an append-only audit trail with user, timestamp, and organisation context to support site accountability.
Encryption in transit
All connections to ResFlow use HTTPS (TLS). Data transmitted between your browser and our servers, and between ResFlow and integrated services, is encrypted in transit.
Cloud-hosted infrastructure
ResFlow is hosted on modern cloud infrastructure with access controls, automated patching, and monitoring. Application data is stored in managed PostgreSQL with row-level security enforced at the database layer.
Data protection principles
ResFlow is designed so each research site controls its own operational data. We apply least-privilege access, tenant isolation, and audit visibility as core design principles — aligned with the expectations of clinical research organisations handling participant information.