Trust
Your patients' data deserves serious answers.
Clinics don't get to outsource responsibility for patient data — under DPDP, they remain accountable. Our job is to make that responsibility easy to honour. Here is what we do, what we don't do, and what we're still working on.
Six commitments
The non-negotiables. If we ever fall short on one of these, we want you to be able to hold us to it.
Data stays in India
Primary database, replicas, backups, and logs all live on Indian infrastructure. No cross-border transfer of patient data.
Encryption everywhere
TLS 1.3 in transit, AES-256 at rest at the disk level, plus per-column AES-256-GCM for Aadhaar and ABHA. Keys rotate independently of the database.
No silent operator access
Our engineers don't read patient records by default. Any operator-side access is gated, audited in a separate stream, and queryable by the clinic admin.
Audit trail by design
Every change to a patient record is logged with the user, IP, timestamp, and a diff. The audit log is append-only and tamper-evident.
DPDP-aligned consent + erasure
Versioned consent at registration; one-click right-to-erasure that redacts personal identifiers while preserving anonymised clinical continuity.
72-hour breach response
A written incident-response runbook with a named owner, notification template, and quarterly drill. CERT-In aligned.
Where your data lives
Hosting is on infrastructure providers that hold ISO 27001 and SOC 2 Type II certifications, with data residency contractually fixed inside India. Daily encrypted snapshots are retained for 30 days, with a 4-hour restore SLA for the last 24 hours and 24 hours for older snapshots. A quarterly disaster-recovery drill verifies the runbook actually works.
- Primary + read replica in Indian regions
- Nightly encrypted snapshots, 30-day retention
- Quarterly DR drill with documented findings
- Backup encryption keys held separately from the database
How sensitive fields are protected
Disk-level encryption is the floor, not the ceiling. Identifiers that single a person out — Aadhaar, ABHA — get a second layer of column-level AES-256-GCM. Search on those fields uses a deterministic SHA-256 lookup hash, so a database dump on its own does not reveal the underlying value.
- AES-256-GCM at the column level for Aadhaar + ABHA
- SHA-256 lookup hash for indexed search without plaintext
- Keys managed in a KMS, rotated independently of the DB
- Application-level Row-Level Security so tenants can never see each other's data
Who can see your records
Clinic-staff access is governed by role-based permissions you configure. Operator-side access (us) is gated by a separate authorisation flow, every event lands in a dedicated operator-audit stream, and the clinic admin can query it like any other audit row. "A vendor employee read this record" is a question we want you to be able to answer in one click.
- Role-based access for clinic staff (Receptionist, Doctor, Admin)
- Operator access requires written authorisation per incident
- Operator-audit stream stored separately from clinic audit
- Admin console exposes the operator-audit feed to the clinic
DPDP Act 2023 commitments
We treat DPDP as the baseline, not the goal. Consent is versioned and stored on the patient record. Erasure is a first-class admin action that redacts personal fields while keeping anonymised clinical continuity. Breach notification follows the CERT-In 72-hour window, with a written runbook and a named owner.
- Versioned consent capture at every new registration
- One-click right-to-erasure flow with audit
- Documented retention policy per data category
- 72-hour breach notification runbook + quarterly drill
Building, deploying, and operating securely
Security is enforced in the pipeline, not just at runtime. Every pull request runs typecheck, lint with a custom rule that flags un-tenanted database queries, and the full test suite — including a regression test that proves Row-Level Security blocks cross-tenant reads. Production deploys go through a documented checklist with rollback verified.
- Custom ESLint rule blocking un-tenanted Prisma queries at PR time
- Cross-tenant RLS enforcement covered by a regression test
- Rate limits on sensitive endpoints (ABDM, PDF generation)
- Production deploy runbook with rollback rehearsal
Where we are, honestly
We'd rather under-promise than oversell certifications we haven't earned yet. Here is the actual posture today.
In production today
TLS 1.3, disk encryption, column encryption for Aadhaar/ABHA, audit trail, role-based access, RLS regression test, custom lint rule, operator-audit stream, right-to-erasure, rate limits, 72-hour breach runbook.
Currently being formalised
External penetration test (planned for Q3); SOC 2 Type II readiness assessment; ABDM production credential application (sandbox flows live).
On the roadmap
Independent ISO 27001 certification; bug-bounty programme; customer-facing trust report (per-customer audit export).
Reporting a vulnerability
If you find a security issue, write to security@meddeskos.com. We acknowledge within one business day and respond with a triage outcome within five. We do not pursue good-faith researchers; please give us a reasonable window before public disclosure.
Want the deeper version?
Our DPDP-compliance walkthrough, the EMR buying guide, and a 20-minute demo all go deeper. Pick whichever matches where you are.
अपने क्लीनिक के डेटा के साथ MedDeskOS चलते हुए देखें।
20-मिनट स्क्रीन-शेयर। हम आपकी सेवा सूची से एक sandbox बनाकर देंगे — बिना जोखिम के क्लिक करें।