Deterministic lifecycle
The same request follows the same phases in the same order, every time. No hidden paths, no special cases for “trusted” code.
One core, shared services, ten modules — the two-minute architecture tour.
Explore the platform →Ten modules on one patient record and one ledger — no seams, no re-entry.
See the products →Be first — on terms that make first safe. Staged payments, escrow, founding pricing.
Explore the programme →Score your facility across ten dimensions in fifteen minutes.
Get the workbooksoonThe DDRT platform
DDRT is not a suite of applications sharing a login. It is a single platform — one identity model, one permission model, one transaction lifecycle, one audit trail — with every module, from triage to trial balance, running as governed configuration on the same core. This page explains how, in the language your IT team will ask for it.
The shape of the system
Modules never talk to the database, to security, or to each other directly. They run on shared services, which run on the kernel. The dependency direction is one-way and it is enforced by an architecture linter in continuous integration — a forbidden import fails the build, not a code review.
That single rule is why DDRT deploys as one system instead of ten separate projects, and why the ward and the ledger agree by construction.
Modules — configuration on the core · hover any
The kernel knows nothing about medicine, money, or stock — deliberately. Business meaning lives in metadata and modules; governance lives below them, where no module can bend it.
The execution lifecycle
Nothing writes to a DDRT database casually. Every command — a vital sign, a dispense, a journal entry — passes through the same 13-phase pipeline, in order, every time. The pipeline is owned by the kernel; no module or extension can skip a step.
Who are you, and may you do this — answered before anything else happens. Authorization is deny-by-default and evaluated centrally, never inside module code.
The record's rules come from metadata — required fields, types, business checks — and are enforced on the server. The client is a convenience, never the gate.
All-or-nothing inside a kernel-owned transaction. Extensions get named hook points here; none of them can break atomicity, and none may reach outside the building mid-transaction.
Side effects — notifications, claim submissions, ledger postings — run only after the data is safely committed. A failed SMS can never corrupt a saved record.
Reads run a shorter eight-phase path with the same authentication and authorization. Every write is audited end to end; reads of sensitive data are audited too.
The guarantees
These rules come from DDRT's normative engineering blueprints — the platform's constitution. Breaking any of them requires a new major version of the framework, not a sprint.
The same request follows the same phases in the same order, every time. No hidden paths, no special cases for “trusted” code.
Only the kernel opens, commits, or rolls back a transaction. Modules and extensions operate inside boundaries they cannot move.
Every permission decision is made in one place, against one deny-by-default model. There is no second, weaker gate to sneak past.
Every state change is attributable — who, what, when, from where. Reads of sensitive data are audited too, not just writes.
External calls — payment providers, SMS, insurers — are forbidden inside a database transaction. Slow networks can never hold your data hostage.
Minor versions are backward-compatible by rule. Your configuration and extensions survive updates — that is a contract, not a hope.
Why this matters to a buyer: feature lists converge; guarantees don't. Any vendor can demo a form. Very few can tell you, in writing, what their platform refuses to let happen.
The configuration engine
The platform reads its own definition — tables, fields, forms, workflows, permissions, navigation — from metadata at startup. Adapting DDRT to your institution is a governed configuration exercise, not a software project with a release train.
The proof it generalizes: the same kernel behind the full hospital build also drives a complete packaged-water product — production, route sales, an offline field app — and a multi-channel retail POS. Different industries, same kernel, different metadata.
Extensibility
When configuration isn't enough, DDRT extends through controlled hooks — additive only, at named lifecycle points, inside the same governance as everything else.
Extensions attach at Before-Validate, Before-Save, After-Save, and After-Commit — the same phases you saw above. Nowhere else.
Touch the database directly, override the lifecycle, grant permissions, or call external systems inside a transaction. These are architectural walls, not review comments.
An architecture linter runs in CI on every change: forbidden imports, lifecycle bypasses, and boundary violations fail the build automatically.
Security & trust
Security isn't a module that could be misconfigured off — it's the execution model itself. Every claim below is demonstrable in the live demo, on request, against the running system.
Read the security overviewAI on the platform
Assistants are embedded in the workstations — summarizing patient timelines, drafting claims, flagging stock-outs — and they obey the same rules as the humans they help: scoped to the user's role, grounded in your institution's data, and audited on every read. On the appliance, AI can run entirely on your own hardware — so patient data never has to leave the building.
Deployment
Most vendors offer you their cloud and call it a choice. DDRT was engineered for the harder reality — including facilities where power and connectivity cannot be assumed.
We run it, you govern it. Fastest path to live for connected facilities and multi-site groups.
Your infrastructure, your policies, our platform. For institutions with existing IT estates and sovereignty requirements.
A self-contained server image for your server room. Clinical work continues on your local network when the internet doesn't — payments and claims queue and retry.
Next step
The demo runs on the live product, and everything on this page can be shown running — the permission model, the audit trail, the appliance, the offline behaviour. No slideware.