Skip to main content

Feature · Medspa EMR software

Medspa EMR software, PHI-grade records for aesthetic clinics.

Delam's EMR is medspa software that stores encrypted patient records, before/after photos, treatment protocols, consent forms linked to appointments, and SOAP notes , the EMR layer of Delam's membership-first medspa OS, scoped per PIPEDA, Quebec Law 25, and Ontario PHIPA. Data lives in Canadian data centers, every field is AES-256 encrypted at rest, and every access is audited against the `auditPHIAccess()` log for seven years.

Build my appSee the security model

What it stores

Every record an aesthetic practice needs, encrypted, audited, bilingual.

The chart is the product. Demographics, protocols, allergies, consent, SOAP, photos, prescriptions, modelled as structured objects, not free-text blobs.

  • Patient demographics

    Identifiers, emergency contacts, insurance. Every PHI field encrypted at rest with AES-256-GCM envelope keys.

  • Treatment protocols

    Neuromodulators, fillers, laser, body contouring, IV therapy. Templates per modality with contraindications wired in.

  • Allergies & medications

    Structured allergen list, interaction flags, and red banners across booking, patient header, and staff mobile app.

  • Consent forms

    Signed consent linked to the specific appointment, provider, and treatment. Immutable with version history per CPSO/CNO.

  • Before/after photos

    Supabase private bucket, 1-hour signed URLs, PhotoConsent gate on every upload. Revocation propagates in under 60 seconds.

  • SOAP notes

    Subjective, Objective, Assessment, Plan, structured fields plus free-text. Immutable after signoff with signed revision log.

  • ePrescribing roadmap

    PrescribeIT integration launching Q3 2026. Today: generate signed PDF prescriptions from the EMR and send via secure email or fax.

  • Audit log

    Every read, write, and export flows through auditPHIAccess(). Retained 7 years. Includes staff ID, purpose, IP, device, and jurisdiction.

Encryption & Canadian residency

Canadian data, U.S.-grade security.

At rest every PHI field is AES-256-GCM with quarterly key rotation. In transit, TLS 1.3 only. All PHI resident in Canadian regions; cross-border transfer requires explicit consent and a documented PIA per Quebec Law 25.

  • Encryption at rest

    AES-256-GCM

    Envelope keys rotated quarterly. Every PHI field encrypted column-level, not just the disk.

    NIST SP 800-175B · SP 800-57 Pt.1 Rev.5 (2020)

  • Encryption in transit

    TLS 1.3 + HSTS

    Exclusively TLS 1.3 with HSTS preload. Stripe webhooks verified via HMAC-SHA256 before any state change.

    IETF RFC 8446

  • Data residency

    ca-central-1

    Supabase Toronto for files, AWS ca-central-1 for Postgres. Point-in-time recovery retained 30 days.

    Quebec Law 25, Article 17 (2024)

  • Audit ledger

    7-year retention

    Every read, write, and export flows through auditPHIAccess(), staff ID, purpose, IP, device, jurisdiction.

    CPSO Policy 4-12 (2024)

Access is role-based with a 5-minute permission cache. Every read or mutation routes through `auditPHIAccess()` and appends to an immutable ledger retained seven years. CPSO Policy 4-12 minimum, configurable to Ontario PHIPA's 10-year requirement for pediatric records.

  • Supabase Toronto & AWS ca-central-1
  • PIPEDA · PHIPA · Quebec Law 25 · R-22.1
  • HIPAA-ready · SOC 2 Type II Q2 2026

Photo consent workflow

Before/after photos, gated by consent.

The PhotoConsent model is first-class. No consent row, no upload. Revocation cascades through signed URLs, CDN caches, and staff view-state in under a minute, per CPSO/CNO advertising rules.

  1. 01 · Capture

    Patient signs in the branded app

    Before any photo uploads, the patient signs a PhotoConsent record specifying intended use (internal vs public) and whether first name can be published.

  2. 02 · Gate

    requirePhotoConsent middleware

    The backend middleware blocks any upload whose appointment or treatment is missing a valid, non-revoked PhotoConsent row. No consent, no bytes stored.

  3. 03 · Store

    Private bucket, signed URLs

    Files land in a private Supabase bucket. Staff and patients only ever receive short-lived signed URLs (1-hour expiry). Public URLs do not exist.

  4. 04 · Revoke

    Propagation in under 60 seconds

    If the patient revokes consent, revokedAt is set, existing URLs invalidate, and downstream caches flush in under 60 seconds, bounded by edge TTL.

Compliance in numbers

The specifics that survive an audit.

AES-256

Field-level PHI encryption

Column-level envelope keys, rotated quarterly.

Source: NIST SP 800-175B

ca-central-1

Canadian data residency

100% of PHI in Canadian regions.

Source: Quebec Law 25, Article 17

7 yrs

Audit log retention

Immutable. Configurable to 10 yrs for pediatrics.

Source: CPSO Policy 4-12 · PHIPA

0 hard-deletes

Patient record durability

Soft-delete via deletedAt. Always reversible.

Source: Quebec R-22.1 retention rules

7-day rollout · How to migrate records

Seven days from kickoff to live EMR.

Migrate from your current EMR without double-entry. White-glove migration is included on Growth; self-serve CSV + connector on Starter.

  1. 01

    Day 1. Connect Stripe and locations

    Add your clinic(s), import staff, and link your Stripe account for memberships, deposits, and payouts.

  2. 02

    Day 2. Migrate patient records

    Pull patients, charts, and payment methods from your existing EMR via CSV or direct connector.

  3. 03

    Day 3. Map treatment protocols

    Set templates per modality. Consent clauses, contraindications, and post-care instructions link automatically.

  4. 04

    Day 4. Invite providers

    Role-based access control with 5-minute permission cache. Run a 30-minute SOAP training.

  5. 05

    Day 5. Turn on photo consent

    Enable PhotoConsent capture on the branded patient app. Rehearse a full appointment end-to-end.

  6. 06

    Day 6. Go live

    Accept live appointments. Monitor the audit log dashboard for the first 48 hours.

  7. 07

    Day 7. Lock roles and review

    Review audit reports, tighten permissions per role, and archive any migration exceptions.

Customer testimonial

The audit log alone justified the switch. Every PHI read, every photo view, every consent change, one ledger, seven years, one query away.
Dr. Priya N. · Medical Director · Toronto, ON

FAQs

Common questions about medspa EMR.

Is Delam EMR HIPAA compliant?
Delam is architected to HIPAA standards, audit logging, RBAC, AES-256 at rest, TLS 1.3, and a Business Associate Agreement on request. SOC 2 Type II + HIPAA attestation is targeted Q2 2026.
Where is patient data stored?
Canadian data centers only (Supabase Toronto + AWS ca-central-1). No cross-border transfer without explicit patient consent and a documented Privacy Impact Assessment.
Can patients access and correct their records?
Yes. Delam ships patient-facing data export and correction endpoints compliant with PIPEDA, PHIPA, and Quebec Law 25. Requests are fulfilled inside the 30-day PIPEDA window.
Does Delam support ePrescribing?
PrescribeIT integration is on the Q3 2026 roadmap. Today, providers generate signed PDF prescriptions from the EMR with e-signature and send via secure email or fax.
How are before/after photos protected?
Stored in a private Supabase bucket with 1-hour signed URLs, linked to a PhotoConsent record, and blocked from upload when consent is missing. Revocation invalidates URLs within 60 seconds.
Can I migrate from my existing EMR?
Yes. Delam imports patients, appointments, chart notes, memberships, and payment methods with zero double-entry. White-glove migration is included for Growth customers.

― Related

Get started

Your records, encrypted & audited.

Preview your branded app in two minutes. Migration help included.

Build my appSee consent forms
  • PHIPA · PIPEDA · Law 25
  • HIPAA-ready Q2 2026
  • Canadian data residency