Legal

Data Handling

Effective date: April 26, 2026

The technical and organisational measures ProClinik employs to protect clinic and patient data across our platform.

🔒

AES-256

Encryption at rest

🔐

TLS 1.2+

Encryption in transit

🏗️

Schema-isolated

Multi-tenant architecture

📋

7-year logs

Immutable audit trail

1

Data Architecture & Isolation

ProClinik uses a multi-tenant architecture with schema-per-tenant isolation in PostgreSQL. Each clinic's data — including patient records, appointments, and billing — is stored in a dedicated database schema that is inaccessible to other tenants at the database level.

All API requests are scoped to the correct tenant schema via subdomain routing and middleware enforcement. Cross-tenant data access is architecturally impossible at the application level.

2

Encryption

2.1 Data in Transit

All communications between clients and our servers are encrypted using TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS. Strict Transport Security (HSTS) headers are enforced with a 2-year max-age, including subdomains.

2.2 Data at Rest

Database volumes are encrypted at rest using AES-256 block-level encryption at the storage layer. File uploads (X-rays, lab reports, prescriptions) are additionally encrypted at the object level before being written to cloud storage, using per-file AES-256-GCM keys.

3

Access Control

ProClinik implements a granular Role-Based Access Control (RBAC) system. Every API endpoint requires authentication and the appropriate permission scope. Permissions are scoped by clinic, branch, and role, ensuring staff only access the data they are authorised to see.

Administrative access to production infrastructure is restricted to named personnel, protected by multi-factor authentication, and logged via immutable audit trails.

4

Audit Logging

Every data modification — creation, update, and deletion — is recorded in an immutable audit log, capturing the actor, timestamp, affected entity, and a diff of changes. These logs are available within your clinic dashboard and are retained for a minimum of 7 years.

5

File Storage Tiers

Uploaded files are automatically tiered based on age to balance cost and performance:

Hot0–30 days
Stored in high-performance object storage for instant retrieval.
Warm30–365 days
Moved to standard object storage. Access within seconds.
Archive>365 days
Moved to low-cost archive storage. Retrieval within minutes to hours.

Files on a permanent or legal hold retention class are never moved or deleted regardless of age. Plan-based storage quotas apply to the total volume of active files.

6

Backup & Recovery

Database backups are taken on a regular schedule. Uploaded files are stored with object-level redundancy within the designated storage region.

Enterprise SLAs

No specific recovery time or recovery point objectives are guaranteed on standard plans. Enterprise customers may discuss specific SLA commitments in their service agreement.

7

Sub-processors

All sub-processors are bound by data processing agreements and comply with applicable data protection law:

Sub-processorPurposeData Location
Hetzner CloudInfrastructure hostingGermany / Finland
Hetzner Storage BoxesEncrypted file storageGermany / Finland
RazorpayPayment processingIndia
Titan Mail (SMTP)Transactional email deliveryIndia
8

Data Residency

ProClinik infrastructure is currently hosted on Hetzner Cloud (Germany/Finland). Encrypted file storage uses Hetzner Storage Boxes (Germany/Finland). Payment processing is handled entirely by Razorpay within India.

We are committed to minimising cross-border data transfers. Enterprise customers may discuss specific data residency requirements in their service agreement.

9

Data Subject Requests

As data controller, your clinic is responsible for handling patient data subject requests (access, erasure, portability). ProClinik provides tooling within the platform to assist with these requests.

For requests related to your own clinic account data, contact us at hq@proclinik.com.

10

Vulnerability Disclosure

If you discover a security vulnerability in ProClinik, please report it responsibly to hq@proclinik.com.

Acknowledgement

Within 48 hours of receiving your report

Fix timeline

Within 7 days for critical vulnerabilities

11

Contact

Data Protection Officer, ProClinik Technologies Private Limited

hq@proclinik.com