AES-256
Field-level PHI encryption at rest
Column-level envelope keys, rotated quarterly.
Source: NIST SP 800-175B
Feature · Medspa EMR software
For medical spas and aesthetic clinics that need HIPAA-grade records without the IT lift. Delam is medspa EMR software that stores encrypted patient records, treatment plans, before/after photos, consent capture per appointment, injection and laser logs, and SOAP notes. It is the EMR layer of Delam's membership-first aesthetic clinic software, scoped per PIPEDA, Quebec Law 25, and Ontario PHIPA. Data lives in Canadian data centers. Every field uses encryption at rest with AES-256. Every access is written to audit logging and retained seven years. Medspa EMR software should be HIPAA compliant by design, not bolted on.
- PHIPA · PIPEDA · Quebec Law 25
- AES-256 encryption at rest
- Canadian data residency
The problem
Generic EHRs were never built for medspas.
Family-medicine EMRs model lab values and prescriptions. Aesthetic clinic software should model injection sites, laser settings, before/after photos, and consent capture tied to a specific appointment. Medspa EMR software is a different category.
Generic EHRs miss medspa modalities
Family-medicine EMRs track prescriptions and lab values. They do not model injection sites, unit counts, laser settings, or modality-specific contraindications. Staff end up dropping clinical detail into free-text boxes that never surface again.
Photo storage is a compliance time bomb
Before/after photos in Dropbox, Google Drive, or a shared drive break PHIPA, PIPEDA, and Quebec Law 25 the moment a link leaks. Most medspa software bolts photos onto a booking tool without consent capture, revocation, or audit logging.
US-hosted tools break Canadian residency
Booker, Mindbody, and Vagaro keep patient data in US regions. That forces Canadian clinics into a cross-border transfer conversation every time a patient asks where their records live. Medspa EMR software should default to Canadian data centers.
What medspa EMR software actually needs
Every record an aesthetic practice needs, encrypted, audited, bilingual.
The chart is the product. Demographics, treatment plans, allergies, consent capture, SOAP notes, before/after photos, prescriptions, modelled as structured objects, not free-text blobs. That structure is what separates medspa EMR software from a general-purpose note pad.
Patient demographics
Identifiers, emergency contacts, insurance. Every PHI field uses encryption at rest with AES-256-GCM envelope keys rotated quarterly.
Treatment plans
Neuromodulators, fillers, laser, body contouring, IV therapy. Multi-visit treatment plans with contraindications, dosing ladders, and post-care wired in.
Allergies and medications
Structured allergen list, interaction flags, and red banners across booking, patient header, and the staff mobile app. NDF-RT coded.
Consent capture
Signed consent linked to the specific appointment, provider, and treatment. Immutable with version history per CPSO and CNO standards.
Before/after photos
Supabase private bucket, 1-hour signed URLs, PhotoConsent gate on every upload. Revocation propagates in under 60 seconds.
SOAP notes
Subjective, Objective, Assessment, Plan. Structured fields plus free-text, immutable after signoff with a signed revision log.
Injection and laser logs
Unit counts per site, lot numbers, laser fluence and pulse width, device IDs. Every log line audited for adverse-event traceability.
Audit logging
Every read, write, and export flows through auditPHIAccess(). Retained seven years. Captures staff ID, purpose, IP, device, and jurisdiction.
Why Delam is different
Medspa EMR software, built the right way.
Three architectural decisions that separate Delam's medspa EMR software from generic practice management tools and US-first competitors.
01 · Modality-native
Built for injectors, not family doctors
Most medspa EMR software is a family-medicine chart with a medspa skin. Delam models injection sites, unit counts, laser settings, lot numbers, and device IDs as first-class fields. Clinical detail stays queryable, not trapped in free-text.
8 modalities modelled natively
02 · Consent-first architecture
No upload without consent capture
PhotoConsent is a required foreign key on every before/after photo. Treatment plans cannot post a session until a signed consent row exists. Compliance is enforced in the database, not in the UI.
100% of uploads consent-gated
03 · Canadian by default
Residency, bilingual, Law 25
Patient data lives in Supabase Toronto and AWS ca-central-1. Consent templates ship bilingual (en-CA + fr-CA). Automated-decision disclosures fire before AI touches any record, per Quebec Law 25 transparency rules.
100% of PHI in Canada
Compliance deep-dive
Canadian data, HIPAA-grade security.
At rest every PHI field uses encryption at rest with AES-256-GCM and quarterly key rotation. In transit, TLS 1.3 only. All PHI resident in Canadian regions; cross-border transfer requires explicit consent and a documented PIA per Quebec Law 25.
app.delam.ai/dashboard
Canadian-hosted · ca-central-1
Encryption at rest
AES-256-GCM
Envelope keys rotated quarterly. Every PHI field encrypted column-level, not just the disk. Key material isolated in a managed KMS, never in app memory.
NIST SP 800-175B, SP 800-57 Pt.1 Rev.5 (2020)
Encryption in transit
TLS 1.3 + HSTS
Exclusively TLS 1.3 with HSTS preload. Stripe webhooks verified via HMAC-SHA256 before any state change. No fallback ciphers, no plaintext endpoints.
IETF RFC 8446
Data residency
ca-central-1
Supabase Toronto for files, AWS ca-central-1 for Postgres. Point-in-time recovery retained 30 days. No cross-border transfer without explicit patient consent and a documented PIA.
Quebec Law 25, Article 17 (2024)
Audit logging
7-year retention
Every read, write, and export flows through auditPHIAccess(). Staff ID, purpose, IP, device, and jurisdiction captured on each event. One ledger, one query.
CPSO Policy 4-12 (2024)
Role-based access control, no exceptions.
Access is role-based with a 5-minute permission cache. Every read or mutation routes through auditPHIAccess() and appends to an immutable ledger retained seven years. CPSO Policy 4-12 minimum, configurable to Ontario PHIPA's 10-year requirement for pediatric records. Staff see only the fields their role grants them, and owners bypass nothing silently, every override is logged.
HIPAA compliant attestation on the roadmap.
Delam's medspa EMR software is architected to HIPAA standards today. SOC 2 Type II plus HIPAA attestation land Q2 2026, ahead of the US enterprise rollout. A Business Associate Agreement is available on request for US clinics that need BAA coverage before attestation lands.
- Supabase Toronto & AWS ca-central-1
- PIPEDA · PHIPA · Quebec Law 25 · R-22.1
- HIPAA compliant roadmap · Q2 2026
- AES-256 envelope keys, rotated quarterly
Photo consent workflow
Before/after photos, gated by consent.
The PhotoConsent model is first-class. No consent row, no upload. Revocation cascades through signed URLs, CDN caches, and staff view-state in under a minute, per CPSO and CNO advertising rules.
01 · Capture
Patient signs in the branded app
Before any photo uploads, the patient signs a PhotoConsent record specifying intended use (internal vs public), whether first name can be published, and whether photos may appear in staff training material.
02 · Gate
requirePhotoConsent middleware
The backend middleware blocks any upload whose appointment or treatment is missing a valid, non-revoked PhotoConsent row. No consent row, no bytes stored, no exceptions.
03 · Store
Private bucket, signed URLs
Files land in a private Supabase bucket. Staff and patients only ever receive short-lived signed URLs (1-hour expiry). Public URLs do not exist in this system.
04 · Revoke
Propagation in under 60 seconds
If the patient revokes consent, revokedAt is set, existing URLs invalidate, and downstream caches flush in under 60 seconds, bounded by edge TTL. Every revocation writes an audit logging entry.
Compliance in numbers
The specifics that survive an audit.
ca-central-1
Canadian data residency
100% of PHI in Canadian regions.
Source: Quebec Law 25, Article 17
7 yrs
Audit logging retention
Immutable. Configurable to 10 yrs for pediatrics.
Source: CPSO Policy 4-12, PHIPA
0 hard-deletes
Patient record durability
Soft-delete via deletedAt. Always reversible.
Source: Quebec R-22.1 retention rules
How it works · 7-day rollout
Seven days from kickoff to live EMR.
Migrate from your current practice management tool to Delam's medspa EMR software without double-entry. White-glove migration is included for Growth customers. Self-serve CSV + connector for Starter.
01
Day 1. Connect Stripe and locations
Add your clinic(s), import staff, and link your Stripe account for memberships, deposits, and payouts.
02
Day 2. Migrate patient records
Pull patients, charts, and payment methods from your existing EMR or practice management tool via CSV or direct connector.
03
Day 3. Map treatment plans
Set templates per modality. Consent clauses, contraindications, and post-care instructions link automatically to every appointment.
04
Day 4. Invite providers
Role-based access control with a 5-minute permission cache. Run a 30-minute SOAP notes training for your clinical team.
05
Day 5. Turn on photo consent
Enable consent capture on the branded patient app. Rehearse a full appointment end-to-end, from booking through before/after photos.
06
Day 6. Go live
Accept live appointments. Monitor the audit logging dashboard for the first 48 hours and tighten any role that over-indexed on access.
07
Day 7. Lock roles and review
Review audit reports, tighten permissions per role, and archive any migration exceptions flagged during the first week.
Customer testimonial
“The audit logging alone justified the switch. Every PHI read, every photo view, every consent change, one ledger, seven years, one query away.
People also ask
Common questions about medspa EMR software.
- What is medspa EMR software?
- Medspa EMR software is a purpose-built electronic medical records system for aesthetic clinics. It stores encrypted patient records, treatment plans, SOAP notes, before/after photos with consent capture, injection and laser logs, and audit logging of every PHI access. Unlike generic EHRs, medspa EMR software handles modality-specific protocols (neuromodulators, fillers, laser, IV therapy) and links photo consent to individual appointments.
- Is medspa EMR HIPAA compliant?
- Delam's medspa EMR software is architected to HIPAA standards: AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, audit logging on every PHI read and write, and a Business Associate Agreement on request. PIPEDA, Quebec Law 25, and Ontario PHIPA are live today. SOC 2 Type II and HIPAA attestation land in Q2 2026.
- Can medspa EMR software store before/after photos?
- Yes. Delam stores before/after photos in a private Supabase bucket with 1-hour signed URLs. Every upload is gated by a PhotoConsent record linked to the specific appointment, provider, and treatment. If a patient revokes consent, signed URLs invalidate and caches flush in under 60 seconds, in line with CPSO and CNO advertising rules.
- How does medspa EMR software handle consent capture?
- Delam captures consent at booking and again at check-in. Each signed consent form is immutable after signoff, time-stamped with IP, device fingerprint, and user agent, and linked to the exact appointment, provider, and treatment. Patients can revoke consent from the branded app; revocation propagates in under 60 seconds and downstream automations halt immediately. Retention defaults to seven years, configurable to ten for pediatric records in Ontario.
- Does medspa EMR integrate with booking and payments?
- Yes. Delam's medspa EMR software is one application with booking, memberships, payments, and the branded patient app. A booking flows through consent capture, posts to the treatment chart, triggers SOAP note templates, links before/after photos on check-out, and reconciles through Stripe Connect. No double-entry, no exports between tools.
Get started
Your records, encrypted & audited.
Preview your branded app in two minutes. White-glove migration included. Medspa EMR software, live in 24 hours.
- PHIPA · PIPEDA · Quebec Law 25
- HIPAA compliant, Q2 2026
- Canadian data residency