Skip to content
MedDeskOS — Doctor-owned clinical OS

Trust

Your patients' data deserves serious answers.

Clinics don't get to outsource responsibility for patient data — under DPDP, they remain accountable. Our job is to make that responsibility easy to honour. Here is what we do, what we don't do, and what we're still working on.

Six commitments

The non-negotiables. If we ever fall short on one of these, we want you to be able to hold us to it.

Data stays in India

Primary database, replicas, backups, and logs all live on Indian infrastructure. No cross-border transfer of patient data.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest at the disk level, plus per-column AES-256-GCM for Aadhaar and ABHA. Keys rotate independently of the database.

No silent operator access

Our engineers don't read patient records by default. Any operator-side access is gated, audited in a separate stream, and queryable by the clinic admin.

Audit trail by design

Every change to a patient record is logged with the user, IP, timestamp, and a diff. The audit log is append-only and tamper-evident.

DPDP-aligned consent + erasure

Versioned consent at registration; one-click right-to-erasure that redacts personal identifiers while preserving anonymised clinical continuity.

72-hour breach response

A written incident-response runbook with a named owner, notification template, and quarterly drill. CERT-In aligned.

Where your data lives

Hosting is on infrastructure providers that hold ISO 27001 and SOC 2 Type II certifications, with data residency contractually fixed inside India. Daily encrypted snapshots are retained for 30 days, with a 4-hour restore SLA for the last 24 hours and 24 hours for older snapshots. A quarterly disaster-recovery drill verifies the runbook actually works.

  • Primary + read replica in Indian regions
  • Nightly encrypted snapshots, 30-day retention
  • Quarterly DR drill with documented findings
  • Backup encryption keys held separately from the database

How sensitive fields are protected

Disk-level encryption is the floor, not the ceiling. Identifiers that single a person out — Aadhaar, ABHA — get a second layer of column-level AES-256-GCM. Search on those fields uses a deterministic SHA-256 lookup hash, so a database dump on its own does not reveal the underlying value.

  • AES-256-GCM at the column level for Aadhaar + ABHA
  • SHA-256 lookup hash for indexed search without plaintext
  • Keys managed in a KMS, rotated independently of the DB
  • Application-level Row-Level Security so tenants can never see each other's data

Who can see your records

Clinic-staff access is governed by role-based permissions you configure. Operator-side access (us) is gated by a separate authorisation flow, every event lands in a dedicated operator-audit stream, and the clinic admin can query it like any other audit row. "A vendor employee read this record" is a question we want you to be able to answer in one click.

  • Role-based access for clinic staff (Receptionist, Doctor, Admin)
  • Operator access requires written authorisation per incident
  • Operator-audit stream stored separately from clinic audit
  • Admin console exposes the operator-audit feed to the clinic

DPDP Act 2023 commitments

We treat DPDP as the baseline, not the goal. Consent is versioned and stored on the patient record. Erasure is a first-class admin action that redacts personal fields while keeping anonymised clinical continuity. Breach notification follows the CERT-In 72-hour window, with a written runbook and a named owner.

  • Versioned consent capture at every new registration
  • One-click right-to-erasure flow with audit
  • Documented retention policy per data category
  • 72-hour breach notification runbook + quarterly drill

Building, deploying, and operating securely

Security is enforced in the pipeline, not just at runtime. Every pull request runs typecheck, lint with a custom rule that flags un-tenanted database queries, and the full test suite — including a regression test that proves Row-Level Security blocks cross-tenant reads. Production deploys go through a documented checklist with rollback verified.

  • Custom ESLint rule blocking un-tenanted Prisma queries at PR time
  • Cross-tenant RLS enforcement covered by a regression test
  • Rate limits on sensitive endpoints (ABDM, PDF generation)
  • Production deploy runbook with rollback rehearsal

Where we are, honestly

We'd rather under-promise than oversell certifications we haven't earned yet. Here is the actual posture today.

Live

In production today

TLS 1.3, disk encryption, column encryption for Aadhaar/ABHA, audit trail, role-based access, RLS regression test, custom lint rule, operator-audit stream, right-to-erasure, rate limits, 72-hour breach runbook.

In progress

Currently being formalised

External penetration test (planned for Q3); SOC 2 Type II readiness assessment; ABDM production credential application (sandbox flows live).

Planned

On the roadmap

Independent ISO 27001 certification; bug-bounty programme; customer-facing trust report (per-customer audit export).

Reporting a vulnerability

If you find a security issue, write to security@meddeskos.com. We acknowledge within one business day and respond with a triage outcome within five. We do not pursue good-faith researchers; please give us a reasonable window before public disclosure.

PGP key on request Coordinated disclosure No legal action for good-faith research

Want the deeper version?

Our DPDP-compliance walkthrough, the EMR buying guide, and a 20-minute demo all go deeper. Pick whichever matches where you are.

अपने क्लीनिक के डेटा के साथ MedDeskOS चलते हुए देखें।

20-मिनट स्क्रीन-शेयर। हम आपकी सेवा सूची से एक sandbox बनाकर देंगे — बिना जोखिम के क्लिक करें।