|Legal & Policies
Back to home
HomeLegalSecurity Policy

Security Policy

Last updated: June 1, 2026

Security is a core responsibility at HealthCRM Technologies Pvt. Ltd. We handle sensitive patient and clinical data on behalf of healthcare organisations, and we take that responsibility seriously. This page describes our security architecture, practices, and commitments.

If you have discovered a security vulnerability, please see Section 9 (Responsible Disclosure) before reporting it.

1. Infrastructure Security

HealthCRM is built on Supabase, which runs on industry-leading cloud infrastructure with the following protections:

  • Hosting: All data is stored on servers located in secure, access-controlled data centres
  • Network isolation: The database layer is not publicly accessible; only the application layer can communicate with it through encrypted private network channels
  • DDoS protection: Built-in denial-of-service mitigation at the infrastructure level
  • Firewall: Strict firewall rules — only required ports and protocols are allowed
  • Uptime monitoring: 24/7 automated health checks with on-call alerting

2. Data Encryption

LayerStandardDetails
Data in transitTLS 1.2 / 1.3All communication between clients and servers is encrypted. HTTP is redirected to HTTPS.
Data at restAES-256All database files, backups, and storage objects are encrypted at the disk level.
PasswordsbcryptUser passwords are never stored in plaintext. Only salted hashes are retained.
API tokensShort-lived JWTsAuthentication tokens are short-lived and rotated regularly. Refresh tokens are rotated on each use.

3. Access Controls

Data access is enforced at multiple layers:

  • Organisation isolation: Every database table includes an organization_id column enforced by PostgreSQL Row-Level Security (RLS). No organisation can read, write, or delete another organisation's data — even in the event of an application bug.
  • Role-based access: Within an organisation, users are assigned roles (Owner, Admin, Member) that restrict which features and data they can access.
  • Audit logging: Every significant action — logins, data exports, record changes, permission modifications — is logged with user identity, timestamp, IP address, and device. Audit logs cannot be deleted by users.
  • Session management: Sessions expire after inactivity and can be revoked remotely by administrators.

4. Application Security

Our development practices include:

  • Input validation: All user inputs are validated and sanitised server-side to prevent injection attacks
  • CSRF protection: Cross-Site Request Forgery protection on all state-changing operations
  • Content Security Policy: Strict CSP headers to mitigate XSS risks
  • Dependency scanning: Automated scanning of third-party libraries for known vulnerabilities
  • Parameterised queries: All database queries use parameterised statements — SQL injection is not possible through normal application paths
  • Least privilege: Application service accounts have only the minimum database permissions required

5. Backup and Disaster Recovery

  • Automated daily backups of all databases with point-in-time recovery
  • Backup retention: 90 days
  • Backups are encrypted with the same standards as production data
  • Restoration procedures are tested quarterly
  • Recovery Time Objective (RTO): < 4 hours for critical failures
  • Recovery Point Objective (RPO): < 24 hours (daily backup)

6. Employee and Operational Security

  • All employees who handle customer data undergo background checks before joining
  • Access to production systems is restricted to a minimal number of engineers on a need-to-know basis
  • Multi-factor authentication is required for all internal systems
  • Privileged access is logged and reviewed regularly
  • Employees receive regular security awareness training

7. Incident Response

In the event of a confirmed security breach affecting your data:

  • We will notify affected organisations within 72 hours of becoming aware of the breach
  • Notification will be sent to the registered account owner email and include: nature of the incident, data affected, steps taken, and recommended actions for you to take
  • We will cooperate fully with any regulatory investigation and provide all necessary information
  • Post-incident reports will be shared with affected customers upon request

8. Compliance and Standards

Our security programme is aligned with the following frameworks and regulations:

  • ISO/IEC 27001 (Information Security Management) — aligned
  • OWASP Top 10 — addressed in our application security programme
  • Digital Personal Data Protection Act, 2023 (India) — compliant
  • General Data Protection Regulation (GDPR) — applicable for EU-based users
  • SOC 2 Type II — in progress

9. Responsible Disclosure

If you believe you have found a security vulnerability in HealthCRM, we ask that you:

  1. Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue
  2. Do not disclose the issue publicly until we have had a reasonable opportunity to investigate and remediate it
  3. Report it to us at security@healthcrm.in with a clear description and steps to reproduce

We commit to: acknowledging your report within 48 hours, keeping you informed of our investigation progress, and crediting you in our security acknowledgements (if you wish) upon resolution. We do not take legal action against researchers acting in good faith.

10. Contact

For security inquiries, vulnerability reports, or to request a security questionnaire for vendor assessments, contact us at security@healthcrm.in.