HIPAA-Aligned Data Protection

Protected Health Information (PHI) is any individually identifiable information relating to a person's health, healthcare, or payment for healthcare. In CareQ, PHI includes: patient names, mobile numbers, dates of birth, visit records, diagnoses, prescriptions, and billing details.

Roles under HIPAA terminology:

• Covered Entity: Your clinic or hospital — the healthcare provider who creates and uses PHI. You are the covered entity.
• Business Associate: CareQ — a vendor that handles PHI on behalf of the covered entity to provide a service.

As a Business Associate, CareQ commits to using PHI only as necessary to provide the Service, to safeguarding it with appropriate technical and organisational measures, and to cooperating with you in meeting your own compliance obligations.

Encryption

• In transit: All communication between users' browsers/devices and CareQ servers is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
• At rest: Patient records and sensitive fields in our database are encrypted using AES-256. Encrypted backups are stored in geographically redundant locations.

Access controls

• Unique user identification: Every user has a unique account. Shared logins are not permitted.
• Role-based access control: Clinic owners assign roles (Owner, Doctor, Receptionist, Viewer) that determine exactly which features and records each staff member can access.
• Automatic session timeout: Inactive sessions are expired to prevent unauthorised access from unattended devices.
• Multi-factor authentication: Supported via Google OAuth for accounts using Google Sign-In.

Audit controls

• All data access and modification events are logged with timestamp and user identity.
• Logs are retained for 90 days and are available to CareQ's security team for incident investigation.

Data integrity

• Database transactions use ACID guarantees to prevent corruption.
• Daily backups with point-in-time restore capability for up to 30 days.

Security policies

CareQ maintains internal security policies covering: data handling, access management, incident response, vendor risk management, and employee training. These policies are reviewed at least annually.

Workforce training

All CareQ employees with access to production systems or PHI undergo security and privacy training as part of onboarding and annually thereafter.

Access management

Access to production systems is limited to a small number of authorised engineers. Access is granted on a least-privilege basis and reviewed quarterly. All access requires multi-factor authentication and is logged.

Incident response

CareQ maintains a formal incident response plan. Any suspected data breach is investigated within 24 hours of detection. See Section 6 for our breach notification commitments.

Risk assessment

We conduct periodic risk assessments to identify and mitigate threats to the confidentiality, integrity, and availability of patient data.

CareQ's infrastructure runs on enterprise cloud data centres that maintain:

• Physical access controls including biometric entry, security personnel, and CCTV surveillance.
• Environmental controls including redundant power, cooling, and fire suppression.
• ISO 27001-certified facilities operated by our infrastructure providers.

CareQ employees do not have physical access to servers. All administrative access is remote, authenticated, and logged.

CareQ uses a limited set of sub-processors to operate the platform. All sub-processors who may handle PHI are:

• Reviewed for security and privacy practices before engagement.
• Bound by data processing agreements that include confidentiality and security obligations equivalent to those we commit to you.
• Limited to using PHI only as necessary to provide their specific service to CareQ.

Our primary sub-processors include cloud infrastructure providers (for hosting and database services) and payment processors. We do not share patient records with any marketing or analytics platforms.

In the event of a confirmed or suspected data breach involving PHI, CareQ will:

• Investigate within 24 hours of detecting a potential breach.
• Notify affected clinics within 72 hours of confirming a breach, including: the nature of the breach, the PHI involved, the likely cause, and the steps we are taking to contain and remediate it.
• Cooperate fully with your own breach notification obligations to affected patients and regulatory authorities under applicable Indian law.
• Document all breaches and our response actions in our internal incident log.

To report a suspected breach or security vulnerability: info@amdcode.com

CareQ provides the platform and safeguards, but your clinic also has responsibilities for PHI protection:

• User accounts: Do not share login credentials. Deactivate staff accounts promptly when employees leave your clinic.
• Device security: Ensure devices used to access CareQ (computers, tablets, phones) are protected with passwords and kept updated.
• Patient consent: Obtain appropriate patient consent for digital record-keeping and for any WhatsApp communications sent via CareQ.
• Data accuracy: You are responsible for the accuracy of patient records entered into CareQ.
• Staff training: Train your staff on the safe and appropriate use of CareQ and on your clinic's own data protection policies.
• Regulatory compliance: Ensure your use of CareQ complies with all applicable Indian healthcare regulations and state-specific requirements for your medical specialty.

CareQ is designed with Indian law as the primary compliance framework:

Digital Personal Data Protection Act, 2023 (DPDPA)

CareQ supports your obligations as a Data Fiduciary under the DPDPA. Patient data entered by your clinic is processed by CareQ only as a Data Processor on your instructions. We maintain technical and organisational measures consistent with those required of a Data Processor under the Act.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

We follow the security practices specified under these rules for sensitive personal data, including health information.

Data localisation

Patient data is stored on servers located in India or regions where Indian law permits. We will update this section if our data localisation arrangements change and will notify affected clinics in advance.

A Business Associate Agreement (BAA) is a contract between a covered entity (your clinic) and a business associate (CareQ) that establishes each party's responsibilities for PHI protection, use, and disclosure.

If you operate a clinic that is subject to HIPAA (for example, because you serve US-based patients) or if your institution's compliance programme requires a formal BAA, CareQ can provide one.

For any questions about CareQ's security or compliance practices:

• Security issues / vulnerabilities: info@amdcode.com
• BAA requests / legal compliance: info@amdcode.com
• General questions: info@amdcode.com

We take security reports seriously. If you discover a vulnerability in CareQ, please report it responsibly and we will investigate and respond within 24 hours.