NammaDoctor Logo
NammaDoctor

Security & Trust

Namma Doctor is engineered with a security-first mindset. Even before full electronic medical record (EMR) features are introduced, appointment and queue data are treated as sensitive personal information.

Principles

  • Least Privilege: Internal and service accounts receive only the access they require.
  • Defense in Depth: Layered controls for authentication, authorization, transport security and monitoring.
  • Privacy by Design: Only the data required for booking and operational flow is collected.
  • Auditability: Security-relevant events are structured for future retention and anomaly analysis.

Data Protection

All network communication is encrypted in transit (TLS 1.3 preferred). Stored data is encrypted at rest using industry standard ciphers (AES-256 or provider equivalent). Secrets are never embedded in client bundles.

Access Controls

Role-based segregation ensures administrative tools are isolated from patient booking views. Elevation actions will be logged as auditing capabilities expand.

Secure Development Lifecycle

  • Peer-reviewed changes with automated linting and type safety gates.
  • Dependency health scanning (upgrade policy & vulnerability triage) – internal backlog tracked.
  • Progressive hardening roadmap: threat modeling and secrets scanning integration.

Incident Readiness

Foundational runbooks are maintained for vulnerability disclosure handling and potential data exposure events. Post-incident reviews drive remediation tasks with owners and due dates.

Responsible Disclosure

If you believe you have discovered a vulnerability, email security@navinax.in with a safe, minimal reproduction. Please avoid public disclosure until we assess and address the issue. We aim to acknowledge valid reports within 2 business days.

Subprocessors

A concise list of infrastructure or service providers will be published here as production onboarding finalizes.

Planned Improvements

  • Formal incident communication ladder & drill cadence
  • Periodic access review automation
  • Structured audit log export and tamper safeguards
  • ISO 27001 readiness assessment (target window forthcoming)
  • Health data interoperability alignment (ABDM)

Last updated: 09 Oct 2025 (initial public version)