Security & governance
A rota is an authority record. It is treated like one.
Who works when decides pay, safety and fairness. Every mechanism below exists so that the record stays trustworthy even in a busy month.
Access
Passwordless, on purpose
Hospital staff already drown in credentials. Medrota uses one-time emailed sign-in links instead: 32 bytes of entropy, stored only as a SHA-256 hash, single use, 20-minute expiry, rate-limited per address. Sessions are httpOnly cookies that last 30 days and can be ended at any time. The login form never reveals whether an address is registered.
Authority
Roles are enforced where it counts
Scheduler, doctor and sessional are checked on the server for every page and every action, not hidden in the interface. A doctor cannot approve their own trade. A sessional cannot see the review inbox. Platform-level support access is possible but shows a visible banner and writes to the audit log.
Capability gates: restricted posts refuse unauthorized staff in generation, in the cell editor and at claim time. There is no path around the list.
Structural guards: seniors cannot land on nights, and overlapping shifts are rejected when a claim or trade would create them.
Scheduler approval: trades and give-ups apply only after the scheduler signs off, whatever the parties agreed between themselves.
Anti-enumeration: magic-link requests for unknown addresses succeed silently, so the staff list cannot be probed from the login page.
Accountability
The record defends itself
Append-only audit log: every edit to a published rota, every claim, trade decision, leave approval, import and publish records the actor and the moment.
Versioned cells: concurrent edits are detected; the second writer is told to refresh rather than silently winning.
Deterministic generation: a draft can be reproduced exactly from its inputs and seed, so what happened is never a mystery.
Email log: every message the system sends, and its outcome, is stored and reviewable.
Dry-run imports: history enters the system only after a human confirms what the parser read.
Locks over guesses: manual decisions are marked and survive regeneration; the machine never quietly undoes a human.
Scope
Honest about where it is
Medrota is in its founding-department phase. That means a short, real list rather than a wall of badges: data lives in a managed PostgreSQL instance with the application, transport is TLS everywhere, secrets are held server-side, and no analytics or trackers run on this site or in the app. Compliance certifications are not claimed. Departments with specific data-residency or policy requirements should raise them before onboarding, and they will shape the roadmap.