Medayo Patient Care Platform

Medayo provides medical and management staff with real time information allowing them to focus on the patient's care.

With the capability of integrating with external systems; Medayo provides a unified view of the patients' journey, overview of the hospital and other care providers.


  • Real-time Care Management
  • Patient Timeline
  • Smart Bed Management
  • Hospital Insights
  • Meaningful and deep customisable reporting
  • Rich API
  • Seamless integration
  • Device agnostic


  • Streamlined patient journey
  • Improved patient care
  • Reduced length of stay
  • Intuitive view of hospital operations
  • Better management of resources
  • Reduced administrative load on staff
  • Identifies discrepancies in patient care
  • Identify infection breakouts


£15000 per unit per month

  • Free trial available

Service documents

G-Cloud 9



Rona MacRae

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints There are no service constraints.

We will liaise and work with customers on all planned arrangements and any specific configurations required.

Customers can contact Medayo with any questions regarding the solution.
System requirements
  • Medayo runs on any operating system
  • Medayo uses open source software to provide the solution
  • There are no licencing dependencies for the solution
  • Medayo can run Bare metal or in a Hypervisor
  • Medayo requires internet access to receive installation and upgrades
  • High availability mode requires a minimum of three virtual servers

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Medayo will aim to respond to emails within 3 business days (Monday to Friday)
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Priority support is provided as per the following tiers
1 - Service not available (all users and functions unavailable).
Response time: 1 hour
Resolution time: ASAP - Best Effort
Escalation threshold: 2 hours

2 - Significant degradation of service (large number of users or business critical functions affected)
Response time: 2 hours
Resolution time: ASAP - Best Effort
Escalation threshold: 4 hours

3 - Limited degradation of service (limited number of users or functions affected, service use can continue).
Response time: 4 hours
Resolution time: Within one working day
Escalation threshold: 8 hours

4 - Small service degradation (service use can continue, specific user/s affected).
Response time: 8 hours
Resolution time: Within one working day
Escalation threshold: 8 hours

Medayo offers a premium support package which is tailored to your specific needs on a per customer basis.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started When Medayo is deployed users will be keen to start using it. The service is designed to be simple and intuitive to use and with our three day onsite training your staff will able to use it proficiently

We understand that healthcare is a demanding, varied sector thus further training may be required to accommodate staff availability and working patterns. This can be arranged upon request.

Technical aspects of our system are clearly documented and available anytime.

The software contains inbuilt assisted help at the click of a button. Separate user guides are available.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Patient information and it's integrity is at the core of Medayo's services. We will assist in any way possible to ensure the security and transfer of this data should a customer decide to stop using our service.

This will be performed as part of our offboarding process.
End-of-contract process Guidance will be provided on the correct decommissioning of our service and Medayo will work with customers to ensure data is transferred securely and safely to a nominated information asset owner (IAO).

Decommissioning support is provided at our day rate which is available in our pricing document.

We estimate decommissioning and data transfer to take two working days but this will vary based on specific customer needs and setup.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The solution allows hospital staff to interact with Medayo on the move. The mobile service is different in that the user experience is tailored to the smaller screen of smartphones and tablets.

Mobile features include:
- Mobile allows care at the bedside providing instantaneous secure access to the patients care information.
- Mobile data exchange facilitates smooth and accurate handover
- Collaboration controls and exchanges enrich staff interactions, while keeping focus on the patients care
- Record essential encounters with the patient
- Patient centred care checklists
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing No assistive technology testing has be carried out at this time but we believe that this is an important requirement and is an aim for us to complete.

Medayo uses Google Material for it's main UI baseline which has been created with accessibility as one of it's founding principles.
What users can and can't do using the API All functions of Medayo are available via our API. This allows customer's and third party vendors systems (if authorised) to add, amend or retrieve information from Medayo. The API allows complete control including system setup and configuration.

Medayo runs a RESTful API service which can respond with either JSON or XML content type.

The API access is controlled by scopes which allows a fine degree of control over individual/system access levels. For example the "view_patient" scope only allows a user or system to read patient demographics. They are unable to create, modify or interact with the patient record otherwise.

Contact Medayo if you have specific technical questions around our API.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation All workflows can be created and managed by users at specific authentication levels.

System administrators can manage user access to ensure only the right information is visible to the right people. Scopes allow restriction and control of features/data down to an individual user level.

For example users such as hospital managers with the scope "edit_dashboard" will be able to customise dashboard views to show information that is important to them.


Independence of resources Medayo was built with scale in mind utilising the microservices architecture. This allows the business to scale Medayo independently using decentralised load balanced autonomous services.

Each component can be scaled to meet demands of users. For example, if a core hospital system required complex information from the Medayo reporting API, the reporting component can be scaled independently without affecting users.


Service usage metrics Yes
Metrics types Medayo has a range of analytical information about both system usage and health statistics.

- System health check
- System ping
- Uptime
- Server usage
- Node stats
- Service availability
- Cluster health
- Real-time notifications of downtime
- Application logging
- API audit log

All logging is provided through our search giving you rapid in-depth diagnosis.
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach All data is available through our API service as JSON or XML.

Medayo also provides reporting which can be exported in a wide range of standard formats. Reports can also be generated via the API for more complex needs.

Due to the secure way in which Medayo is designed, database access and dumps are not directly available by users. This information can be made available to System Administrators by request.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • JSON
  • Hl7
  • SQL
  • PDF
  • XML
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • HL7
  • XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Medayo shall use all reasonable commercial efforts to ensure that the Platform is available to 99.9% of the time in any calendar month.

If Medayo do not meet these levels of availability, customers may be eligible to receive a refund in the form of service credits.
Approach to resilience Available on request.
Outage reporting Medayo provides system health checks and metrics. See Analytics
/Metrics section of the application for detailed information on this.

Webhooks are available to be setup by the administrator, providing customisable real time alerting

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Medayo leverages secure management of our services through roles and scopes. These can be configured on a per user basis giving customers complete control to securely manage use of our services.

This configuration can be done using dashboards within the system or controlled via our API ensuring that users are clearly separated within management interfaces. Our access controls are regularly tested as part of our standard software development practices.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards Other
Other security governance standards Medayo follows the guidance for, and aims to comply with, CSA CCM V3.00 but we are not yet accredited.
Information security policies and processes Medayo follows HMG requirements in having named appointees in the positions of Senior Information Risk Owner (SIRO), Departmental Security Officer (DSO) and Information Technology Security Officer (ITSO).

Medayo also requires that all customers have a named appointed Information Asset Owner (IAO) compliant with the UK government security policy framework. This person will be responsible for all data access requests prior to Medayo being contacted.

Nominated information risk assessment, management and other specialists may also be required dependant on the customer's deployment of our service although this is not normally required.

Our Information Security Policy, which is subject to change, is available upon request.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The source code for the Medayo system is stored in a typical VCS with full tracking of changes to any components. Assessment of potential security impact is embedded as part of our development lifecycle.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Medayo is regularly tested for vulnerabilities and security threats. If vulnerabilities are identified patches will be created and customers will be directly contacted with advice to upgrade. Upgrading is simple and controlled by the customer, with minimum disruption to the service.

Medayo uses a wide range of sources to identify threats and vulnerabilities which are available upon request.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Medayo maintains access and usage audit logs of our services which can be scrutinised via our dashboards and search facility. These logs are also exposed via Medayo's API allowing customers to use specific monitoring tools tailored to their needs.

Any identified compromises are taken extremely seriously and Medayo would work with customers to identify and resolve security issues through our standard support structure.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Medayo handle incident management through our standard support structure to ensure a clear and robust communication pathway for all incidents.

Medayo operate a transparent model of incident reporting and we will endeavour to keep customers abreast of all incidents and their resolution. We appreciate that some incidents may be of a sensitive customer environment specific nature and these would be kept private.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £15000 per unit per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Trial version of Medayo is available upon request and is accessible for a period of one month. This version has all features included.


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑