Skip to content
Healipro
Start trial
§ 03 Trust & security

The boring details that make this safe.

Eight principles, in plain English. No marketing certifications — we’ll tell you what we do, what we don’t, and what’s on the roadmap. If something here matters to you and isn’t covered, write to us — we want to know.

At a glance

Encryption
TLS 1.3 + AES-256
2FA
TOTP, doctor + admin
Backups
daily · 30-day
Multi-tenant
DB-level filter
Audit log
append-only
§ 01

Multi-tenant by construction, not by convention

Every clinical row in our database carries a tenant_id. Every query filters by it through a database-layer filter that cannot be bypassed by application code. New developers cannot accidentally write a query that crosses tenants, because the framework will refuse to execute it. We run an automated isolation test on every deploy that proves it: tenant A logs in, tenant B's data must not appear in any list, search, or report.

Worth knowing

Hospitals on our premium tier get a dedicated database instead of a shared one — full physical isolation, same code.

§ 02

Roles that match how your clinic actually works

Six built-in roles — clinic admin, doctor, operator, pharmacist, lab tech, and read-only auditor — each with explicit permissions. A pharmacist can dispense but not prescribe. A lab tech can release results but not change them after a doctor has seen them. An operator can book appointments but cannot read clinical notes.

Worth knowing

On the Hospital tier, custom roles let you mirror your org chart exactly — head of department, junior doctor, registrar, and so on.

§ 03

An audit log that you can actually read

Every patient record open, every encounter edit, every prescription, every lab release, every role change — logged with who, what, when, and from where. Clinic admins see it in a searchable UI. The log is append-only and cryptographically chained, so tampering is detectable.

Worth knowing

On request, we can export your audit log to your own SIEM or storage bucket — read-only, signed JSON Lines.

§ 04

Data lives in UAE North

Azure UAE North is the closest big-cloud region to Pakistan — about 7 ms from Karachi, 12 ms from Lahore. Your data does not leave that region without your explicit, written permission. Backups stay regional. The provider is Microsoft Azure; ours is the only software running in our subscription.

Worth knowing

When in-country sovereign cloud becomes commercially viable in Pakistan, we will move with it. We have built nothing that would block that move.

§ 05

Encrypted in transit. Encrypted at rest. Separately key-protected for the sensitive bits.

TLS 1.3 everywhere, no exceptions. Database storage encrypted with platform-managed keys. CNIC, phone, address, and the audit log itself encrypted at the field level with a key we hold separately from the database, so a stolen backup is not a stolen patient list. JWT signing keys are 2048-bit RSA, rotatable on demand.

Worth knowing

We pen-test the platform before every major release and publish a brief, non-confidential summary of the findings.

§ 06

2FA for the people who matter; session timeout for everyone

TOTP-based 2FA (Google Authenticator, Authy, 1Password) is mandatory for doctors and clinic admins from day one. In Phase 2 we extend it to operators, pharmacists and lab techs. Every workstation has a configurable session timeout — the front desk's session does not stay open through the night.

Worth knowing

WebAuthn / passkeys are on the Phase 2 roadmap. SSO via SAML / OIDC is available today on the Hospital tier.

§ 07

Backed up daily. Restore-tested monthly.

Daily backups for every tenant, retained 30 days. Hourly point-in-time recovery for the Hospital tier, retained 7 days. A backup that is never restored is a backup that does not exist — we run a full restore drill monthly and a partial drill weekly, into an isolated environment.

Worth knowing

If you ever leave us, we hand you a full export within 7 days and purge our copies within 30, with a signed confirmation.

§ 08

Where Pakistan's data law lands, we land

There is no settled health-data privacy law in Pakistan today. The Personal Data Protection Bill is in motion. We have designed for what mature jurisdictions require — encryption, audit, breach notification, data residency, right to export — so that when the law settles, our compliance burden is paperwork, not engineering.

Worth knowing

We will publish a Data Processing Addendum that every tenant can sign before going live.

§ 09 The shape of it

One request, end to end.

A schematic of how a single API call moves through our stack — what it touches, where it stops, and where the tenant filter sits.

  1. 1

    Step 1

    Browser

    TLS 1.3 · HSTS

  2. 2

    Step 2

    Cloudflare

    WAF · DDoS · TLS termination

  3. 3

    Step 3

    Container App

    ASP.NET Core · auth middleware

  4. 4

    Step 4

    Tenant resolver

    JWT → tenant_id

  5. 5

    Step 5

    EF query filter

    WHERE tenant_id = current

  6. 6

    Step 6

    PostgreSQL

    encrypted · UAE North

The query filter at step 5 is the load-bearing piece — every clinical query is rewritten by the ORM to include the current tenant’s ID before it ever reaches the database. Bypassing it requires explicit, audited intent.