Data Security Policy

1. Security Commitment

Med97 Inc prioritizes the security of your clinical data and personal information. This policy outlines our security measures, encryption standards, and data protection practices.

We are committed to:

• Protecting data from unauthorized access
• Encrypting sensitive information
• Regular security audits
• Compliance with international security standards

2. Encryption Standards

2.1 Data in Transit (HTTPS/TLS)

All data transmitted to/from SocialMdAI is encrypted using:

• TLS 1.2 or higher
• 256-bit encryption
• HSTS (HTTP Strict Transport Security) enabled
• Perfect forward secrecy

What this means: All connections use HTTPS (not HTTP), connections cannot be intercepted, data cannot be read if intercepted, encryption verified by security certificates.

2.2 Data at Rest (AES Encryption)

Stored data encrypted using:

• AES-256 encryption
• Encryption keys securely managed
• Industry-standard encryption algorithms
• Encryption applied to all sensitive data

Encrypted Data Includes:

• Clinical cases
• Personal information
• Generated content
• Social media credentials

2.3 Password Security

Your password is protected using:

• Bcrypt hashing algorithm
• Salted and hashed (not stored as plain text)
• One-way encryption (cannot be recovered)
• Minimum 8 characters required

2.4 Payment Data Security

Payment information handled by Razorpay:

• PCI-DSS Level 1 compliant
• Never stored by Med97 Inc
• Tokenized references only
• Card data never transmitted to our servers

3. Hosting & Infrastructure Security

3.1 Cloud Hosting (Supabase)

Supabase provides:

• Secure cloud infrastructure
• Automatic backups
• DDoS protection
• Firewall and intrusion detection
• Regular security patches

3.2 Database Security

Database protection includes:

• Row-level security (RLS)
• User-scoped access controls
• Automated backups every 24 hours
• Encrypted backups
• No direct internet access

3.3 Access Controls

Platform access controlled via:

• Authentication required for all operations
• Role-based access control (RBAC)
• API key authentication for integrations
• OAuth 2.0 for third-party services
• Session timeouts (30 minutes inactive)

4. Data Backup & Recovery

4.1 Backup Policy

• Daily automatic backups
• Encrypted backup storage
• Backups retained for 30 days
• Geographically distributed backup locations
• Regular restoration testing

4.2 Disaster Recovery

• Recovery from encrypted backups
• Recovery Time Objective (RTO): 24 hours
• Recovery Point Objective (RPO): 24 hours
• Tested quarterly
• Documented recovery procedures

5. Data Breach Response

5.1 Breach Notification

In case of confirmed data breach:

• Affected users notified within 72 hours (GDPR requirement)
• Notification via email to registered address
• Details of breach, affected data, and remediation
• Regulatory authorities notified if required

5.2 Breach Mitigation

We will:

• Contain the breach immediately
• Reset affected user sessions
• Require password reset for affected users
• Provide credit monitoring (if applicable)
• Investigate root cause
• Implement preventive measures

6. Compliance Certifications

• TLS 1.2/1.3: Encryption in transit
• AES-256: Encryption at rest
• Bcrypt: Password hashing
• PCI-DSS Level 1: Payment processing (Razorpay)
• SOC 2 Type II: Cloud infrastructure (Supabase)
• GDPR: Data protection (EU users)
• India IT Act Section 43A: Data breach liability
• DPDP Act: Digital Personal Data Protection

7. Contact & Reporting

7.1 Security Reporting

To report security vulnerabilities:

• Email: hello@med97.com
• Subject: "SECURITY REPORT"
• Description: Detailed vulnerability information

7.2 Support