Security & Compliance

Certifications & frameworks

Compliant in the regions you operate.

eClinicPro is built to the highest healthcare privacy standards in every region we serve. Reports and DPAs available on demand.

🛡️HIPAA

🛡️GDPR

🛡️DPDP 2023

🛡️SOC 2 Type II

🛡️ISO 27001

🛡️HL7 FHIR R4

🛡️PIPEDA

🛡️POPIA

🛡️HDS (FR)

Nine pillars of trust

How we protect every record.

🛡️

Encryption everywhere

AES-256 at rest. TLS 1.3 in transit. Per-clinic keys, rotated quarterly. Field-level encryption for the most sensitive data (allergies, diagnoses, mental health notes).

✓

Compliant by default

HIPAA (US), GDPR (EU/UK), DPDP (India), PIPEDA (Canada), POPIA (South Africa), HDS (France). Region-aware data residency.

📋

You own your data

Export everything as portable JSON, CSV, or HL7 FHIR — anytime, free. Delete your account and we erase within 30 days, audit-logged.

🔐

Granular access control

Roles for doctor, nurse, receptionist, accountant, owner. Per-action permissions. Time-limited access for locums.

📊

Audit trail forever

Every read, write, and export is logged with user, IP, device, and timestamp. Tamper-evident, exportable on demand.

🌐

Data residency you choose

Pick where your data lives: US, EU, India, UAE, Singapore. It never leaves that region — not for backups, not for analytics.

⚡

Resilient infrastructure

99.95% uptime SLA (Hospital plan). Three-region failover. Backups every 15 minutes, restorable to any point in the last 90 days.

🧪

Independently tested

Quarterly third-party penetration tests. Annual SOC 2 Type II audit. Public bug bounty up to $25,000 per critical finding.

📜

Vendor & sub-processor list

A short, public list of every vendor that touches your data. We notify you 30 days before any change.

Internal practices

What we do behind the scenes.

Security isn't a feature — it's the daily operating system. Here's how the team works.

✓

Background checks for every employee

Every Clinic engineer with production access undergoes a criminal background check and signs an enforceable confidentiality agreement.

✓

Zero-trust internal network

No long-lived credentials. Production access is mediated through a session-based broker with mandatory MFA, full session recording, and per-action approval for sensitive operations.

✓

Quarterly disaster recovery drills

Every quarter we simulate a full region failure, restore from backups, and measure RTO/RPO. The results are published to enterprise customers.

✓

Annual SOC 2 Type II audit

Independent audit covering security, availability, confidentiality, and privacy. Reports available under NDA.

✓

Subprocessor transparency

A public list of every vendor that touches customer data. We notify in advance of any change with a 30-day window to object.

✓

Phishing-resistant MFA mandatory

WebAuthn / passkeys for all employees. SMS-only MFA is not permitted internally and not recommended for clinics.

Security FAQ

The hard questions, answered honestly.

You choose your region at signup — US, EU (Frankfurt), India (Mumbai), UAE, or Singapore. Data, backups, and analytics never leave that region.

Only the people you grant access to in your clinic, plus a tiny on-call team of engineers when responding to a support ticket you opened — and only with your explicit consent for that ticket. Every access is logged.

GDPR Article 17 / DPDP "right to erasure" is built in. Click delete on the patient record — the data is purged from production within 24 hours and from backups within 30 days, with a tamper-evident certificate.

Go to Settings → Export. You get a signed ZIP containing every patient record, prescription, invoice, and attachment as portable JSON + HL7 FHIR R4 + PDF. No fee, no lock-in.

No. Patient data is never used to train models — ours or anyone else's. AI assistants that work on your data run inside your data residency region and forget after each session.

Yes. BAA (HIPAA), DPA (GDPR), and India DPDP processor agreement are available on all paid plans. Download instantly from your dashboard — no sales call.

Patient data deserves better than "trust us".