Back to SwasthSwasth

Security Practices

Effective Date: December 2024 | Last Updated: December 2024

Protecting your health data is our top priority. This page describes the security measures we implement to safeguard your personal and health information.

1. Our Security Philosophy

We follow a defense-in-depth approach with multiple layers of security. Health data deserves the highest protection standards, and we continuously improve our security posture.

2. Data Encryption

2.1 Encryption in Transit

  • Protocol: TLS 1.3 for all connections
  • Certificate: Valid SSL certificates from trusted authorities
  • HSTS: HTTP Strict Transport Security enforced
  • API: All API communications over HTTPS

2.2 Encryption at Rest

Data TypeEncryption Method
Medical DocumentsAES-256-GCM
Professional MessagesEnd-to-End (Olm/Vodozemac)
DatabaseDatabase-level encryption
BackupsEncrypted backup storage

2.3 End-to-End Encryption (E2EE)

Professional-client messaging uses state-of-the-art E2EE:

  • Algorithm: Double Ratchet (Signal Protocol family)
  • Implementation: Olm/Vodozemac by Matrix.org
  • Key Exchange: Curve25519
  • Message Encryption: AES-256
  • Forward Secrecy: Compromised keys cannot decrypt past messages
  • Security Audit: Implementation audited by Least Authority

What this means: Messages are encrypted on your device before transmission. Not even Laxhar Tech can read message content.

3. Authentication Security

3.1 OAuth 2.0 with PKCE

  • Modern OAuth 2.0 authentication flow
  • PKCE (Proof Key for Code Exchange) prevents interception attacks
  • No passwords stored in Swasth databases
  • Secure token management

3.2 Session Security

  • Secure, HttpOnly session cookies
  • Automatic session expiration
  • Session invalidation on logout
  • Concurrent session management

3.3 Device Security

  • Unique device identifiers for E2EE
  • Device registration for key management
  • Suspicious device detection

4. Access Controls

4.1 Role-Based Access

  • Users access only their own data
  • Professionals access client data only with consent
  • Family members access only shared data
  • Admin access strictly controlled and logged

4.2 Data Sharing Controls

  • Granular privacy settings per data category
  • Professional access requires active relationship
  • Access revoked immediately on relationship end
  • Client controls what professionals see

5. Rate Limiting & DDoS Protection

  • API rate limiting to prevent abuse
  • Enhanced rate limiting on sensitive endpoints:
    • Key upload: 10 requests/minute
    • Key query: 30 requests/minute
    • Key claim: 20 requests/minute
  • DDoS protection at infrastructure level
  • Automatic blocking of suspicious patterns

6. Audit Logging

6.1 What We Log

  • Authentication events (login, logout, failures)
  • Medical document access
  • Sensitive data access by professionals
  • Account changes
  • E2EE key operations

6.2 Log Security

  • Logs stored securely with restricted access
  • Tamper-evident logging
  • Retention per compliance requirements (7 years)
  • Regular log review for anomalies

7. Vulnerability Management

7.1 Security Testing

  • Regular security assessments
  • Dependency vulnerability scanning
  • Code security reviews
  • Penetration testing (periodic)

7.2 Dependency Management

  • Regular updates of dependencies
  • Automated vulnerability alerts
  • Quick patching of critical vulnerabilities

8. Infrastructure Security

8.1 Cloud Security

  • Secure cloud infrastructure providers
  • Network isolation and firewalls
  • Encrypted data storage
  • Regular security audits

8.2 Backup & Recovery

  • Regular automated backups
  • Encrypted backup storage
  • Disaster recovery procedures
  • Recovery testing

9. Secure Development

9.1 Development Practices

  • Security-focused code reviews
  • Input validation and sanitization
  • Protection against OWASP Top 10 vulnerabilities
  • Secure coding guidelines

9.2 Third-Party Security

  • Security assessment of integrations
  • Data processing agreements with vendors
  • Regular vendor security reviews

10. Incident Response

10.1 Our Commitment

In the event of a security incident:

  • Immediate containment and investigation
  • Notification within 72 hours (as required by DPDPA)
  • Clear communication about impact and remediation
  • Post-incident analysis and improvements

10.2 What You'll Be Told

  • Nature of the incident
  • Data potentially affected
  • Steps we're taking
  • Actions you should take
  • Contact for questions

11. Your Role in Security

Help us keep your data secure:

  • Use strong, unique passwords for your OAuth account
  • Enable two-factor authentication where available
  • Keep your devices and browsers updated
  • Be cautious of phishing attempts
  • Log out from shared devices
  • Report suspicious activity to us
  • Don't share your E2EE device with others

12. Security Contact

To report security vulnerabilities or concerns:

We appreciate responsible disclosure. Please give us reasonable time to address issues before public disclosure.

13. Compliance

Our security practices align with:

  • DPDPA 2023 (Digital Personal Data Protection Act)
  • IT Act 2000 and SPDI Rules
  • Industry security best practices
  • OWASP security guidelines

Security is an ongoing commitment. We continuously evaluate and improve our security measures to protect your health data. If you have security concerns, please contact us immediately.