Legal

Data Security & Compliance

Patient data is the most sensitive data in the world. Here's exactly how we protect it.

Security measures

Enterprise-grade security for every clinic, regardless of plan size.

🔐

AES-256 Encryption

All patient data is encrypted at rest using AES-256, the same standard used by banks and governments.

🔒

TLS 1.3 in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3.

🏢

SOC 2 Type II Infrastructure

We host on Supabase (built on AWS), which maintains SOC 2 Type II, ISO 27001, and HIPAA-eligible infrastructure.

👤

Role-Based Access

Strict role-based access controls ensure staff only see data they need. Full audit trails of all data access.

🔍

Regular Security Audits

We conduct quarterly penetration tests and annual third-party security audits.

🛡️

Multi-Factor Authentication

MFA is available for all accounts and mandatory for admin-level access.

Regulatory compliance

We stay current with Indian and international healthcare data regulations.

🇮🇳

India DPDP Act 2023

Compliant

We are aligned with India's Digital Personal Data Protection Act. Patient consent is collected at booking, and data subject rights (access, correction, deletion) are honoured.

🏥

HIPAA Awareness

HIPAA-Aware

While HIPAA is a US law, we adopt its best practices: minimum necessary data, access controls, audit logs, and Business Associate Agreements for relevant integrations.

🌍

GDPR (for EU Users)

Compliant

For clinics with EU patients, we support GDPR data subject rights: access, portability, correction, deletion, and right to object.

📋

ABDM (Ayushman Bharat)

Integration Ready

We are building ABDM integration for Health ID (ABHA) linking, allowing patients to access their records via the national digital health mission.

Data responsibility: who does what

C

Clinic (Data Controller)

You decide what patient data to collect, why you collect it, and how long to keep it. You are responsible for patient consent and compliance with applicable local laws.

C

Chikitshalaya (Data Processor)

We process patient data only as instructed by you (the clinic). We implement technical and organisational measures to keep that data secure, and we never use patient data for our own commercial purposes.

Found a security issue?

We run a responsible disclosure program. If you discover a vulnerability, please report it privately — we'll respond within 24 hours and reward responsible disclosures.

security@chikitshalaya.com