Security & Compliance
How we protect your data and your patients' data.
Encryption
- AES-256 encryption for data at rest (Google Cloud default)
- TLS 1.3 for all data in transit
- Audio recordings encrypted in transit and at rest, deleted after transcription
- Encryption keys managed via Google Cloud KMS
Data Hosting
- Primary database and storage hosted on Google Cloud (asia-south1, Mumbai)
- AI processing uses third-party APIs (OpenAI, Sarvam AI) — data may be processed outside India
- Daily automated database backups
- Infrastructure runs on Google Cloud’s SOC 2 Type II certified platform
Doctor Verification
- Automated NMC (National Medical Commission) register lookup during signup
- State Medical Council cross-referencing
- Unverified accounts have restricted access to clinical features
Access Controls
- Role-based access control (RBAC) — doctors only see their own patient data
- Per-clinic tenant isolation with separate database credentials
- JWT-based authentication with session expiry
- All API endpoints require authentication
Data Retention
- Clinical records retained for a minimum of 3 years per ICMR guidelines
- Audio recordings deleted immediately after transcription (within minutes)
- Doctors can request full data export or account deletion
- Account data retained for 90 days after deletion request before purging
AI Models — Clinical Notes & Prescriptions
- OpenAI GPT-4o — clinical notes, prescriptions, and treatment plans
- OpenAI GPT-4o-mini — intent detection and search classification
- Sarvam AI Saaras v3 — speech-to-text in 23 Indian languages
- All AI outputs are decision support only — the treating doctor must review and approve
Indian IT Act Compliance
- Reasonable security practices followed per IT Act 2000, Section 43A
- Sensitive personal data handled per Information Technology Rules 2011
- Privacy policy publicly available
- Doctors are data controllers; SimplisLabs acts as data processor
For security concerns or to report a vulnerability, contact security@simplis.in