Skip to main content

How tenderID protects your data

The five-layer security architecture behind tenderID: scan expiration, data minimization, encryption, instant deactivation, and family alerts.

tenderID is designed around a deliberate trade-off: emergency access needs to be frictionless (no login, no app required), but the underlying information still has to stay safe. Here's how that's resolved.

The core security architecture

1. Scan links expire after 24 hours

Each scan of the QR code generates a fresh, time-limited link. The page that opens expires after 24 hours.

This means a scan can't be saved, bookmarked, or forwarded for ongoing access. A link shared with someone else, or left open in a browser, goes stale within a day. The physical card stays scannable, but no scan produces a permanent window into the information.

2. You control exactly what's shown

tenderID only shows the specific subset of vault information you've chosen to include. We recommend against putting in full Social Security numbers, financial account information, or anything beyond what's medically necessary for first responders.

The guidance: include medications, allergies, conditions, emergency contacts, and key documents like a DNR. Skip everything else.

See Controlling your tenderID privacy settings for more on what to include.

3. The underlying data is encrypted

All data in tendercare is encrypted at rest and in transit using AES-256, the same standard used by banks and government agencies. tendercare has successfully completed a HIPAA attestation examination.

4. Cards can be instantly deactivated

If a physical card is lost or stolen, you can deactivate it from the app or web. Once deactivated, scanning the QR code displays no information at all.

5. Every scan triggers a family notification

The moment any QR code is scanned, every designated emergency contact receives an automatic text alert. Unauthorized scans don't go undetected. You're notified immediately and can take action.

What if someone finds the card?

A found card can be scanned — that's by design, because the next person to scan it might be a paramedic. But three layers limit what a finder can do with it:

  • The information is intentionally narrow. Medical conditions, medications, allergies, emergency contacts. This data has minimal value to a malicious party compared to financial information like an SSN or account number, and the privacy guidance explicitly tells users not to include that kind of information.

  • You know the moment it's scanned. Every scan triggers a text alert to your emergency contacts, so an unexpected scan is your signal to act.

  • You can shut it off instantly. Deactivate the lost card from the app or web, and from that moment on, scans show nothing. If you want a replacement, we'll mail a new card with a fresh QR code for free.

Related articles

  • Controlling your tenderID privacy settings

  • How tendercare protects your information

  • HIPAA compliance and data security

  • Replacing a lost or damaged tenderID

Related Articles
How to get your free tenderID
Activating your tenderID
Controlling your tenderID privacy settings
Replacing a lost or damaged tenderID
How tendercare protects your information
Did this answer your question?