HealoPlus is built for the Indian healthcare context where patient data is among the most sensitive personal data that exists. Every architectural decision — from our database region to our audit log design — is driven by the principle that your patients’ records must be protected by multiple independent layers of security, not a single point of trust.
1. Infrastructure
| Layer | Technology | Security Role |
|---|---|---|
| Edge / CDN | Cloudflare | WAF, DDoS protection, rate limiting, IP blocklisting, bot management |
| API | Hono.js on Cloudflare Workers | Serverless, no persistent attack surface; JWT validation on every route |
| Database | Supabase Postgres (Mumbai — ap-south-1) | Encrypted at rest, Row-Level Security, India-only data residency |
| File Storage | Supabase Storage (Mumbai) | Encrypted; all files accessed via signed, expiring URLs only |
| Frontend | Next.js on Vercel / Cloudflare Pages | CSP headers, HSTS, X-Frame-Options DENY on all responses |
| Rate limiting / OTP state | Cloudflare KV | OTPs stored with TTL only — never in the database |
2. Encryption
2.1 At Rest
All patient data stored in Supabase Postgres is encrypted at rest using AES-256. Prescription PDFs, lab reports, uploaded documents, and other files stored in Supabase Storage are encrypted at the storage layer. Passwords are hashed using bcrypt before storage — plain-text passwords are never stored.
2.2 In Transit
TLS 1.2 or higher is enforced on all connections to HealoPlus services. HTTP Strict Transport Security (HSTS) headers with a one-year max-age are set on all responses, instructing browsers to only ever connect via HTTPS. Downgrade attacks are prevented at the Cloudflare edge.
2.3 Authentication Tokens
Session tokens are JWE (AES-256-GCM) wrapping JWS (HS256) — encrypted and signed. Clinic staff tokens are stored in HttpOnly, Secure, SameSite=Strict cookies, inaccessible to JavaScript. Token payloads contain only user_id, clinic_id, and role — no PII.
2.4 Prescription & File Links
Prescription PDFs and patient documents are never shared via public URLs. All file access uses signed Supabase Storage URLs with a maximum expiry of 1 hour. Links sent via WhatsApp or email expire before they could be misused if forwarded.
3. Access Control
3.1 Multi-Tenancy Isolation
Every table in the HealoPlus database contains a clinic_id column. Supabase Row-Level Security (RLS) policies enforce that every query — regardless of what the application code does — can only access rows belonging to the authenticated clinic. This is enforced at the database layer, not just application logic.
The clinic_id value used in all queries is always sourced from the verified JWT payload, never from user-submitted request data. This prevents a clinic from accessing another clinic’s patients even if they manipulate API parameters.
3.2 Role-Based Access
| Role | Clinical Access | Billing Access | Settings Access |
|---|---|---|---|
| Clinic Admin | Full — all patients | Full | Full |
| Doctor | Own patients & prescriptions only | None | Profile only |
| Receptionist | Appointments & patient intake only | Create invoices | None |
| Nurse / GNM | Record vitals only — no prescriptions, no history | None | None |
The nurse role is legally bounded by NMC Telemedicine Guidelines, 2020. Nurses write only to the vitals table. The RLS policy prevents any other table access at the database level.
4. Authentication
4.1 Clinic Staff Login
- Email + password via Supabase Auth
- Password policy: minimum 10 characters, 1 uppercase, 1 number, 1 special character
- 5 failed login attempts triggers a 30-minute account lockout
- Session timeout: 8 hours of idle activity
- Maximum 2 concurrent active sessions per user
- TOTP two-factor authentication available (enforced in Phase 2)
4.2 Patient OTP Verification
- 6-digit OTP sent to patient’s verified phone number
- OTP expires in 5 minutes and is single-use
- OTP stored as a hash in Cloudflare KV with TTL — never stored in the database
- Maximum 5 wrong OTP attempts triggers a 30-minute lockout on that phone number
- OTP send rate-limited to 3 requests per 10 minutes per phone number
- Cloudflare Turnstile (not reCAPTCHA) required before OTP can be requested
4.3 Admin Panel
- Email + password + mandatory TOTP (2FA) — no exceptions
- IP allowlist enforced at the Cloudflare Worker — all non-allowlisted IPs are blocked before reaching the route
- Every admin action audit-logged with
admin_id, action, target, and timestamp
5. Audit Logging
Every read and write of patient data generates an audit log entry. This is non-negotiable and enforced at the API handler level. The audit_logs table is append-only — no UPDATE or DELETE permission is granted to any role, including our own backend service.
Each audit log entry records:
clinic_id— which clinicactor_id+actor_role— who performed the actionaction— e.g.patient.read,prescription.create,consent.grantedtable_name+record_id— exactly which record was touchedip_address+timestamp
Audit logs are retained for a minimum of 7 years as required by the IT Act, 2000 and serve as the primary evidence trail for any regulatory investigation or patient rights request.
6. Public Booking Security
The public booking portal is the highest-risk surface in the HealoPlus platform — it is accessible to unauthenticated users on the open internet. Every input is treated as potentially hostile.
6.1 Input Security
- All inputs sanitised server-side using
sanitize-html— HTML tags stripped, scripts rejected - Only whitelisted request body keys are accepted — unexpected fields are silently rejected
- Phone numbers validated to E.164 format server-side
- Free-text fields capped at 500 characters; URLs and HTML in complaint fields are rejected
6.2 Bot & Abuse Protection
- Cloudflare Turnstile (invisible CAPTCHA) on booking form and OTP request — no reCAPTCHA
- Honeypot hidden field — if filled, request is silently discarded (200 returned, nothing processed)
- Minimum form fill time of 3 seconds — submissions completed faster are silently rejected as bot signals
- Tor exit nodes and known datacenter/proxy IP ranges blocked at the Cloudflare edge
6.3 Rate Limiting
| Endpoint | Limit |
|---|---|
| Booking form submit | 5 requests / IP / 10 min |
| OTP send | 3 requests / phone / 10 min |
| OTP verify | 5 attempts, then 30-min lockout |
| Chat messages | 20 messages / min / session |
6.4 Security Headers
All public responses include:
Strict-Transport-Security: max-age=31536000; includeSubDomainsX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: no-referrerPermissions-Policy: camera=(), microphone=(), geolocation=()Content-Security-Policy— nonce-based CSP on all SSR pages
7. File & Document Security
- Allowed upload types:
.jpg,.jpeg,.png,.pdfonly — all others rejected - Every uploaded file is renamed with a UUID before storage — original filenames are never used as storage paths
- Files are streamed directly to Supabase Storage — never written to Worker disk or memory
- All patient files are accessed only via signed, expiring URLs (max 1-hour TTL) — no public permanent links
- Prescription PDFs are generated server-side and stored in Supabase Storage under a clinic-scoped path — inaccessible without a valid signed URL
8. Breach Response
In the event of a confirmed or suspected data breach, HealoPlus follows this protocol:
Detect & Contain
Anomaly detection via Cloudflare alerts. Suspected breaches trigger an immediate internal incident record via POST /admin/breach-notification.
Notify Affected Clinics
Affected clinics (Data Fiduciaries) are notified without undue delay — within hours of detection wherever possible.
Report to DPBI (72 hours)
A formal incident report is submitted to the Data Protection Board of India within 72 hours as required by the DPDP Act, 2023.
Patient Notification
The clinic (as Data Fiduciary) individually notifies affected patients via WhatsApp + email. HealoPlus provides the tooling and incident record to support this.
Post-Incident Review
Root cause analysis, security patch, and updated controls documented. Affected clinics are kept informed throughout.
9. Your Responsibilities
Security is a shared responsibility. HealoPlus secures the platform infrastructure; clinics and their staff are responsible for the following:
- Keep your login credentials confidential — do not share passwords across staff members
- Use strong, unique passwords meeting the minimum policy (10+ chars, uppercase, number, special character)
- Enable TOTP two-factor authentication when it becomes mandatory in Phase 2
- Report any suspected unauthorised access to your account immediately to [email protected]
- Do not attempt to access patient records from another clinic — this is a material breach of the Terms of Service and a potential criminal offence under the IT Act, 2000
- Ensure your clinic devices (laptops, tablets) are locked when unattended
10. Responsible Disclosure
If you have discovered a security vulnerability in the HealoPlus platform, we ask that you report it to us responsibly before public disclosure. We commit to:
- Acknowledging your report within 3 business days
- Providing a status update within 7 days
- Working to resolve confirmed vulnerabilities within 30 days
- Not pursuing legal action against researchers who act in good faith
Report security vulnerabilities to [email protected]. Please include a clear description, steps to reproduce, and your assessment of impact. Encrypt sensitive reports using our PGP key if available.
Security Standards & Legal Basis
- IT Act 2000, §43A
- SPDI Rules, 2011
- DPDP Act, 2023
- NMC Telemedicine Guidelines, 2020
- Cloudflare WAF
- AES-256 Encryption
- TLS 1.2+