Data Security

Our Security Commitment

Health data is among the most sensitive information that exists. PRISM employs enterprise-grade security measures and follows healthcare industry best practices to ensure your data remains protected, private, and under your control at all times.

1. Security Certifications & Standards

PRISM maintains the following security certifications and adheres to recognised standards:

ISO

ISO 27001 Information Security Management

SOC

SOC 2 Type II Security, Availability, Confidentiality

HIP

HIPAA Compliant US Healthcare Security Standards

CSA

CSA STAR Cloud Security Alliance

2. Security Architecture

Our defence-in-depth approach implements multiple layers of security controls:

Multi-Layer Security Architecture

👤 User Layer Biometric auth, 2FA, session management, device binding

📱 Application Certificate pinning, code obfuscation, secure storage

🔌 API Gateway OAuth 2.0, rate limiting, request validation, WAF

🗄️ Data Layer AES-256 encryption at rest, field-level encryption

☁️ Infrastructure VPC isolation, DDoS protection, intrusion detection

3. Encryption

🔒

Data at Rest

All stored data is encrypted using AES-256 encryption. Sensitive fields like health conditions and medications use additional field-level encryption.

🔐

Data in Transit

All communications use TLS 1.3 with strong cipher suites. Certificate pinning prevents man-in-the-middle attacks on mobile apps.

🔑

Key Management

Encryption keys are managed using hardware security modules (HSMs). Keys are rotated regularly and never stored with encrypted data.

🧮

Cryptographic Standards

We use industry-standard algorithms: AES-256-GCM, RSA-4096, SHA-256, and ECDHE for perfect forward secrecy.

4. Access Control

4.1 User Authentication

Multi-Factor Authentication (MFA): Required for all accounts, supporting authenticator apps, SMS, and biometrics
Biometric Login: Face ID, Touch ID, and fingerprint authentication on supported devices
Session Management: Automatic timeout, single-session enforcement, suspicious activity detection
Password Requirements: Minimum 12 characters with complexity requirements, breach database checking

4.2 Consent-Based Access

Healthcare providers can only access data you have explicitly consented to share
Granular controls allow you to share specific data types with specific providers
Consent can be revoked instantly with immediate effect
All access attempts are logged in an immutable audit trail

4.3 Internal Access Controls

Role-based access control (RBAC) limits employee access to minimum necessary
All production access requires multi-person approval
Access to patient data is logged and regularly audited
Background checks required for all employees with data access

5. Infrastructure Security

5.1 Cloud Security

Hosted on enterprise cloud infrastructure with SOC 2 certification
Virtual Private Cloud (VPC) isolation for network segmentation
Web Application Firewall (WAF) protection against common attacks
DDoS protection and automatic traffic scrubbing
Geographic redundancy with automated failover

5.2 Data Locality

We maintain data residency compliance by storing your data within your country or region where legally required. Supported regions include:

India — Data stored in Mumbai/Hyderabad data centres
European Union — Data stored in Frankfurt/Dublin data centres
United States — Data stored in US East/West data centres
Additional regions based on regulatory requirements

6. Monitoring & Detection

👁️

24/7 Monitoring

Security Operations Centre monitors systems around the clock for anomalies, intrusions, and potential threats.

🚨

Intrusion Detection

AI-powered intrusion detection systems identify and alert on suspicious network activity in real-time.

📊

SIEM Integration

Security Information and Event Management correlates logs across all systems for comprehensive threat visibility.

🔍

Audit Logging

Complete audit trails of all data access, changes, and administrative actions stored immutably.

7. Vulnerability Management

Penetration Testing: Annual third-party penetration tests by certified security firms
Bug Bounty Program: Responsible disclosure program rewards security researchers
Vulnerability Scanning: Continuous automated scanning of applications and infrastructure
Patch Management: Critical patches applied within 24 hours, routine patches within 7 days
Secure Development: OWASP-aligned secure coding practices, mandatory code reviews

8. Business Continuity

8.1 Backup & Recovery

Automated daily backups with 30-day retention
Backups encrypted and stored in separate geographic locations
Regular recovery testing ensures backup integrity
Recovery Point Objective (RPO): 1 hour
Recovery Time Objective (RTO): 4 hours

8.2 Disaster Recovery

Multi-region infrastructure with automatic failover
Documented disaster recovery procedures tested quarterly
Business continuity plans for extended outages

9. Incident Response

In the event of a security incident, PRISM follows a documented incident response plan:

Detection: Automated alerts or user reports trigger investigation
Containment: Immediate steps to limit potential damage
Eradication: Remove threat and patch vulnerabilities
Recovery: Restore services and verify integrity
Notification: Affected users notified within 72 hours as required by law
Post-Incident: Root cause analysis and preventive measures

10. Employee Security

Background checks for all employees
Mandatory security awareness training
Clean desk policy and secure workspace requirements
Confidentiality agreements and access termination procedures
Regular phishing simulations and security refreshers

Report a Security Concern

If you discover a security vulnerability or have concerns about data security:

Security Team: security@prismhealth.io

Bug Bounty: bugbounty@prismhealth.io

Emergency Hotline: +1-XXX-XXX-XXXX (24/7)