Security & privacy
Medslots handles patient data for Indian clinics. This page is the public summary of how we protect it. For compliance teams: email hello@medslots.com for our questionnaire and signed data-processing agreement.
What we do
Encryption everywhere
TLS 1.2+ in transit. Every patient data field AES-256-GCM encrypted at rest with a per-tenant key derived from a master key held in Vercel encrypted env vars. Database lives in Neon's AWS Mumbai (ap-south-1) region.
Role-based access
Three clinic roles (admin / doctor / staff) plus a platform super-admin tier limited to billing. Admin actions require MFA.
Append-only audit log
Every read and write of patient data is recorded. Logs retained for 7 years, aligned with the longer of IT Rules 2011 SPDI reasonable-steps and state health-records legislation.
Tenant isolation, twice
App-layer organizationId filter + Postgres Row-Level Security. A query bug can't leak data across clinics.
Patient rights built in
DPDPA s52 access export, DPDPA s53 correction workflow, STOP-keyword opt-out (TRAI DLT), and crypto-shred deletion are all first-class features. DPDPA Data Protection Board Notifiable Data Breach process documented.
DPDPA + NMC aware
Mapped to the DPDPA 2023 + DPDPA 2023 + IT Rules 2011 SPDI, the DPDPA Data Protection Board + CERT-In scheme, NMC Code §6.1 advertising rules, and the ASCI Code 2024 (No.3) 2021. The clinic remains the NMC-registered advertiser of record.
Regulatory framework
Privacy:The DPDPA 2023 and the DPDPA + SPDI Rules Principles govern how we collect, hold, use, and disclose personal information. Patient health information is “sensitive information” under s6 of the Act and attracts the higher protections in DPDPA s5+s6 (collection) and DPDPA s7 (use & disclosure). The clinic is the data fiduciary for its patients; Medslots acts on the clinic’s behalf under a written agreement.
Security (IT Rules 2011 SPDI): We take “reasonable steps” — AES-256-GCM at rest with per-tenant key derivation, TLS 1.2+ in transit, role-based access with MFA on administrative actions, append- only audit logging, and Indian data residency in Neon AWS Mumbai (ap-south-1).
Notifiable Data Breaches: The DPDPA Data Protection Board + CERT-In scheme (Privacy Act Part IIIC) requires assessment of any suspected eligible data breach within 30 days. If we determine an eligible breach has occurred — that is, unauthorised access, disclosure or loss of personal information likely to result in serious harm where remediation cannot prevent it — we notify the DPDPA Data Protection Board and affected individuals “as soon as practicable” with the prescribed statement.
Cross-border (DPDPA s16): Patient data is processed in India. A small set of operational metadata (Sentry error reports with PHI scrubbed via a beforeSend hook, Postmark/Resend transactional email metadata with no PHI in message bodies) is processed by US-based subprocessors. We disclose these in the subprocessor table below and remain accountable under DPDPA s16 for any act or practice of those overseas recipients.
Advertising (NMC + ASCI): NMC Code §6.1 of the Health Practitioner Regulation National Law, the NMC §6.1 for Advertising a Regulated Health Service, the ASCI Code 2024 (No.3) 2021, and (where applicable) the NMC clinical-claims rules (Dec 2023) govern what a healthcare advertiser may claim. The chatbot is configured to avoid testimonials about cosmetic procedures, comparative claims, outcome guarantees, and brand-name promotion of Schedule H drug list or Schedule X (controlled) drugs in consumer-facing copy.
State health legislation: Karnataka Health Records and Information Privacy Act 2002, Victorian Health Records Act 2001, and the ACT Health Records (Privacy and Access) Act 1997 may apply to private collection of health information in those jurisdictions. The Commonwealth Privacy Act remains the floor.
Subprocessors
The vendors below process or store patient data on our behalf. We have a signed data-processing agreement — or are actively obtaining one — with every vendor. Application + database live in AWS Mumbai (ap-south-1) for India data residency.
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| Letex Media Co. | Platform operator — staff access for support + operations | India (read access; PHI stays in India at rest) | Signed |
| Vercel | Application hosting | Bengaluru (bom1 / AWS ap-south-1) | Signed |
| Neon | Postgres database (patient data) | AWS Mumbai (ap-south-1) | Signed |
| OpenAI | AI chatbot + summarisation (chat completions) | United States — zero-training API terms (no model fine-tuning on customer data) | Signed |
| Meta WhatsApp Business | Patient messaging (primary) | Multi-region (Meta-controlled) | In progress |
| Postmark | Transactional email (magic-links, receipts — metadata only, no PHI in body) | United States | Signed |
| Resend | Transactional email (alerts — metadata only, no PHI in body) | United States | Signed |
| Sentry | Error tracking (PII/PHI scrubbed via beforeSend hook) | United States | Signed |
Reporting an issue
hello@medslots.com
Found a vulnerability or possible breach? Email us — we acknowledge within one business day and triage per the DPDPA Data Protection Board + CERT-In workflow.
Last updated 2026-06-04.