Security & compliance

Built so clinical data is safer here than where it lives today.

Health Hub is a clinical platform first, an app second. Every architectural choice, from where your records live to how a prescription gets cross-checked, is designed to fail safely, log immutably, and survive any single failure of a process, person, or vendor.

The architecture

Six guarantees that don't move when the product does.

Region-split data residency

African patient data lives in African data centres (af-south-1). Indian patient data lives in India (ap-south-1, Mumbai). Cross-border data movement happens only with explicit, logged patient consent. Each JWT carries a region claim that gates every database call.

Encryption at every layer

TLS 1.2+ in transit (HTTP rejected at the gateway). AES-256 at rest at the storage layer. Field-level encryption for clinical notes, allergies, conditions, and medications. JWT signing keys live in AWS KMS, never in environment files or source.

Clinical safety gates that don't fail open

The allergy gate is a rule-based engine, not an LLM. If the service is unavailable, the prescription is held, never bypassed. Overrides require a typed clinical reason from the prescribing doctor and are immutably logged.

Append-only audit logs

Every clinical-record access is logged with user, target patient, action, resource, IP, and user-agent. The audit table is append-only at the database layer; UPDATE and DELETE are revoked at the role level.

No LLMs in safety-critical paths

Triage scoring, red-flag detection, and the allergy gate are deterministic. A language model is used only for conversation and summarisation, never for clinical decision-making. Every safety output is reproducible from the same input.

Independence from any single vendor

No single-vendor lock-in for auth (we built it), payments (Razorpay + M-Pesa + bank fallback), or LLM (provider-abstracted). If a vendor goes down, the platform degrades gracefully; it doesn't disappear.

Compliance posture

Where we stand against the frameworks that matter.

We treat compliance as a property of the architecture, not a periodic audit panic. The matrix is updated quarterly. We publish breach notification protocols in our terms.

Framework	Scope	Status
HIPAA	US patient data shared by enterprise customers	Aligned · BAA available
DPDP Act 2023	India (digital personal data protection)	Compliant
Kenya Data Protection Act	Kenya	Compliant
Uganda Data Protection & Privacy Act	Uganda	Compliant
Ethiopia Personal Data Protection Proclamation	Ethiopia	Compliant
ABDM standards	Indian health data interoperability (ABHA)	Integrated
ISO 27001	Information security management	In progress · target 2026
SOC 2 Type II	Security, availability, confidentiality	In progress · target 2026

What we will not do

The list of decisions we have already refused.

Some compromises are tempting at every growth stage. We name them here so we never quietly take them.

We will not sell or monetise patient data, ever, including in anonymised aggregate, without explicit per-cohort consent.

We will not train models on patient transcripts without specific opt-in consent on a per-encounter basis.

We will not let an LLM make a clinical safety decision. The red-flag detector and allergy gate are deterministic.

We will not bypass the allergy gate if the service is unavailable. The prescription is held, never released blindly.

We will not let a doctor consult patients before the medical-council verification status is VERIFIED.

We will not edit a locked clinical record. Addenda are new, signed entries that preserve the original.

We will not route African patient data to Indian databases without explicit, logged consent.

We will not skip a security review for a 'small' release. Every release goes through the same gate.

Incident response

If something goes wrong, here is exactly what happens.

0 to 15 min

On-call engineer paged. Incident channel opened. Status page updated to 'investigating'.

15 to 60 min

Containment. Affected services degraded gracefully or isolated. Patient-safety review begins if clinical paths are involved.

1 to 24 hr

Root cause identified. Affected users notified directly if patient data is involved. Regulators informed within statutory windows (72 h for DPDP/GDPR-class breaches).

1 to 7 days

Public post-mortem published. Architectural change to prevent recurrence merged. Auditor briefed.

Talk to us

Security questions for procurement, investors, or the press?

We respond to security-questionnaire requests within 5 business days. BAA, DPA, and SOC 2 readiness pack available on request.

Contact security team