Security & Compliance | prajnaScan

1. Our Security Architecture

prajnaScan is built with a security-first approach. All patient and clinic data is protected by multiple layers of technical and organisational controls throughout the data lifecycle.

Encryption

At rest: AES-256 encryption for all stored data, including patient records, triage logs, and AI outputs.
In transit: TLS 1.3 enforced for all API calls and data transfers between components. No HTTP connections accepted.

Access Control

Role-Based Access Control (RBAC) ensures every user sees only what their role permits.
Doctor pre-diagnosis notes are accessible to licensed clinicians only — front-desk staff and patients cannot access them.
All admin actions require multi-factor authentication (MFA).

Audit Trails

Immutable audit logs record every data access, modification, and export event.
Logs are retained for 7 years in compliance with medical record requirements.
Anomaly detection alerts are configured for unusual access patterns.

2. Compliance Standards

DPDP Act 2023 (India)

prajnaScan is built in alignment with India's Digital Personal Data Protection Act 2023. We treat patient health data as "sensitive personal data" under the Act and apply the highest available protections. Data Fiduciary obligations are fulfilled by AlakhAgam India Pvt. Ltd. as the primary data principal.

ISO 27001-Aligned Controls

Our information security management practices follow ISO 27001 principles covering risk assessment, asset management, physical security, access management, and supplier relationships. Formal ISO 27001 certification is on our 2026 roadmap.

HIPAA-Inspired Safeguards

Although prajnaScan operates under Indian law, we voluntarily adopt HIPAA-inspired administrative, physical, and technical safeguards for patient health data — including minimum necessary access principles, workforce training, and regular risk analyses.

3. Data Governance

Retention Policy

Patient records are retained for a minimum of 7 years from the date of last clinical interaction, consistent with India's medical records guidelines. After expiry, records are automatically anonymised and archived or securely deleted on clinic request.

Anonymisation

An automated anonymisation pipeline removes or pseudonymises all direct identifiers (name, phone, Aadhaar) from records used for AI model improvement. No identifiable patient data is used in model training without explicit, documented consent.

Data Isolation

Each clinic's data is logically isolated. There is no cross-clinic patient data sharing — a patient registered at Clinic A is not visible to Clinic B, even within the same organisation.

4. Infrastructure

Azure India (Central & South)

All patient and clinical data is hosted exclusively on Microsoft Azure India regions (Central India — Pune, South India — Chennai). No patient data leaves Indian sovereign territory. This ensures compliance with DPDP Act data localisation principles.

Network Security

Private Virtual Network (VNet) with strict ingress and egress rules.
Web Application Firewall (WAF) protecting all public-facing endpoints.
Azure DDoS Protection Standard enabled on all production resources.
Zero-trust network architecture: internal services do not trust each other by default.

5. Incident Response

In the event of a suspected or confirmed security incident affecting personal data:

Affected clinics and individuals will be notified within 72 hours of detection, as required under DPDP Act 2023.
Our incident response runbook defines containment, eradication, recovery, and post-incident review steps.
A designated Data Protection Officer (DPO) oversees all breach investigations and regulatory notifications.

Suspected incident? Contact our security team immediately at security@alakhagam.com. We aim to acknowledge all security reports within 4 hours.

6. Contact

For security-related inquiries, vulnerability disclosures, or compliance questions:

AlakhAgam India Pvt. Ltd. — Security Team
Email: security@alakhagam.com
Website: www.alakhagam.com