Trust & Compliance

Patient data deserves real protection.

Medrita handles some of the most sensitive data a software product can touch. This page is the single source of truth for our security posture, AI governance, data residency, subprocessors, and certification roadmap — updated as we add capabilities.

Last updated · 29 May 2026

Compliance posture

Where we stand.

Every standard relevant to a clinic management SaaS in India — with our honest status. "Live" means in effect today. "In progress" means being implemented. "Roadmap" means we'll get there as we scale.

DPDP Act 2023 (India)

Privacy notice, consent capture, breach reporting workflow, and Data Fiduciary obligations for clinic and patient data.

In progress

IT Act 2000 & SPDI Rules 2011 (India)

Reasonable security practices for Sensitive Personal Data or Information, including health data.

Compliant

ISO 27001 · Information Security

Information Security Management System. The de facto safe harbor under SPDI Rules and required by most enterprise clinic customers.

In progress

ISO 27701 · Privacy

Extends ISO 27001 for privacy management — aligned to DPDP Act and GDPR. Started after 27001 certification.

Roadmap

SOC 2 Type II

Independent attestation of security and availability controls — for enterprise and international customers.

Roadmap

HIPAA readiness (US)

For Medrita deployments serving US clinics or storing US patient data — including BAAs with all subprocessors.

Roadmap

CDSCO (India Medical Devices)

Medrita's AI features are positioned as clinical decision support reviewed by a licensed doctor — never auto-execution. We monitor classification as AI features evolve.

Monitored

Security architecture

Built into the platform, not bolted on.

Encryption in transit & at rest

TLS 1.2+ on every connection. AES-256 at rest for all stored data, with managed keys rotated periodically.

Strict tenant isolation

Every record is scoped to a clinic at the data layer. One clinic cannot ever query another's data — enforced in code, not policy.

RBAC + row-level security

Every API endpoint is permission-checked. Associate doctors are automatically restricted to their own patients and bookings.

MFA + secure sessions

TOTP-based MFA, JWT in HttpOnly cookies, backup codes. CAPTCHA on login. Password hashing with industry-standard work factors.

Full audit logging

Every patient-data change is logged with timestamp, acting user, and field-level before/after diff. Tamper-evident and queryable.

Observability

Structured logging (Log4j2), error monitoring (Sentry), and uptime monitoring across every service. Incidents triaged within minutes.

AI governance

Six rules we apply to every AI feature.

AI in healthcare carries real consequences. We hold ourselves to a stricter bar than the general-purpose AI tooling industry — and these rules are baked into how we build, not how we market.

Rule 01

AI assists. A human decides.

Rule 02

Patient data is never used to train models.

Rule 03

Every AI suggestion appears in the audit log.

Rule 04

Optional PII masking before any external AI call.

Rule 05

No AI feature claims to diagnose.

Rule 06

Feature flags let clinics turn AI off, per feature, per branch.

Data residency

Your patients' data stays in India.

For Indian clinics, all primary data — patient records, clinical notes, bookings, prescriptions, audit logs — is stored in AWS Mumbai (ap-south-1). Backups are replicated to a second Indian region.

Primary region: AWS Mumbai (ap-south-1)
Backups: daily, retained 30 days, encrypted at rest
AI calls: minimal context only, with optional PII masking
Export: full patient data export available on request

Retention

Patient records Until clinic deletes

Audit logs Term + 12 months

Backups 30 days rolling

After cancellation 30 days, then deleted

Voice recordings Discarded post-transcript

Subprocessors

Every third party that touches your data.

Listed in full. Updated when we add or remove any vendor. We notify clinic admins of material changes by email.

Amazon Web Services

Cloud infrastructure — compute, database, storage, networking. The primary host for all clinic data.

Mumbai (ap-south-1)

AWS Simple Email Service

Transactional email — booking confirmations, reminders, post-visit care notes.

Mumbai (ap-south-1)

AWS S3

File storage — clinic logos, doctor photos, banner images, prescription PDFs.

Mumbai (ap-south-1)

Sentry

Application error monitoring. Configured to scrub identifiers from error payloads.

EU / US

Anthropic

AI model provider for triage, prescription assist, voice-to-notes, and plain-English insights. Zero training-on-customer-data terms.

US

Razorpay

Payment processing for clinic subscriptions. PCI-DSS compliant. No card data touches Medrita servers.

India

Responsible disclosure

Found a security issue? Tell us.

We take security reports seriously. Email security@medrita.com with details — we acknowledge within 48 hours and work with you to verify and fix.

Acknowledgement within 48 hours
Initial assessment within 5 business days
We will not pursue researchers acting in good faith
Credit in our advisories when requested

Contacts

Who to email.

Security reports

security@medrita.com

Vulnerabilities, suspected breaches, security questionnaires.

Privacy & data rights

privacy@medrita.com

DPDP requests, data export, deletion, processing inquiries.

Compliance & legal

compliance@medrita.com

DPAs, subprocessor questionnaires, audit requests.

For your IT & procurement teams

Want a deeper conversation?

We're happy to walk your IT, compliance, or procurement team through architecture diagrams, penetration test summaries, and our DPA template.

Schedule a security review Email compliance