Security

How we protect your health data

Our Commitment to Security

At 1Heart, we understand that health information is among the most sensitive personal data. We are committed to implementing robust security measures to protect your information and maintain your trust.

Security is not an afterthought — it is built into every aspect of our platform design, development, and operations.

Role-Based Access Control (RBAC)

We implement comprehensive role-based access control to ensure users can only access data they are authorized to see:

  • Patients: Access only their own health records and data
  • Healthcare Providers: Access patient records within their authorized scope of care
  • Clinic Staff: Access based on their assigned responsibilities and clinic
  • Administrators: Administrative access with appropriate controls and audit logging

Access permissions are granular, with over 10 specific permission flags controlling access to different features and data types.

Secure Authentication

We implement multiple layers of authentication security:

  • OTP Verification: One-time password verification for phone-based authentication
  • Secure Password Handling: Industry-standard password hashing and storage
  • Session Management: Secure session handling with appropriate timeouts
  • Multi-factor Authentication: Additional verification for sensitive operations

Data Protection

Encryption

  • Data in Transit: All data transmitted between your device and our servers is encrypted using TLS/SSL
  • Data at Rest: Sensitive data is encrypted when stored on our servers
  • Secure Storage: Health documents and files are stored securely with access controls

Infrastructure Security

1Heart is built on enterprise-grade cloud infrastructure that provides:

  • Secure data centers with physical security controls
  • Network security and firewall protection
  • Regular security updates and patches
  • Redundancy and backup systems
  • DDoS protection

Multi-Tenant Data Isolation

Our platform supports multiple clinics and organizations while maintaining strict data isolation:

  • Each clinic's data is logically separated
  • Users can only access data within their authorized clinic context
  • Cross-clinic access is strictly controlled
  • Camp volunteers have limited access that doesn't extend to persistent clinic data

Audit Trails

We maintain comprehensive audit logs to ensure accountability:

  • Record of data access and modifications
  • User activity logging for sensitive operations
  • Administrative action tracking
  • Security event logging

Audit logs are accessible to authorized administrators with appropriate permissions.

Application Security

Our application development follows security best practices:

  • Secure Development: Security considerations in our development lifecycle
  • Input Validation: Validation of user inputs to prevent injection attacks
  • Security Rules: Server-side security rules that enforce access policies
  • Regular Updates: Ongoing security improvements and vulnerability patches

Payment Security

Payment processing follows strict security standards:

  • We do not store card details on our servers
  • Payments are processed through PCI-DSS compliant payment gateways
  • Secure payment authentication (OTP, UPI PIN)
  • Transaction monitoring for suspicious activity

Your Role in Security

Security is a shared responsibility. We recommend:

  • Protect Your Credentials: Never share your login information
  • Use Strong Authentication: Choose strong passwords or use secure login methods
  • Keep Apps Updated: Install app updates promptly for security fixes
  • Secure Your Device: Use device lock screens and keep your device secure
  • Report Suspicious Activity: Contact us immediately if you notice anything unusual
  • Log Out: Sign out of shared devices after use

Incident Response

In the event of a security incident:

  • We have procedures in place to detect and respond to security incidents
  • Affected users will be notified as required by law
  • We will take appropriate steps to mitigate impact
  • We will conduct post-incident reviews to prevent recurrence

Responsible Disclosure

We value the security research community. If you discover a security vulnerability:

  • Please report it to us at support@1heart.in
  • Provide sufficient detail to reproduce the issue
  • Allow us reasonable time to address the issue before disclosure
  • Do not access or modify other users' data

We appreciate responsible disclosure and will acknowledge security researchers who help us improve.

Compliance Considerations

Our security practices are designed with healthcare compliance in mind:

  • Data handling aligned with healthcare data protection principles
  • Audit capabilities for compliance requirements
  • Data retention policies in line with regulatory expectations
  • Privacy-by-design approach

Continuous Improvement

Security is an ongoing process. We continuously:

  • Monitor for new threats and vulnerabilities
  • Update our security measures
  • Review and improve our security practices
  • Train our team on security best practices

Contact Us

For security-related questions or to report a security concern:

  • Email: support@1heart.in
  • Please include "Security" in the subject line for priority handling

This Security page was last updated in December 2025. We regularly review and update our security practices.