Security Policy - SmartCarePlus
1. Introduction
At SmartCarePlus, protecting your data and ensuring the confidentiality, integrity, and availability of healthcare information is our top priority.
SmartCarePlus is operated by Smart Code Junction Infinity Private Limited (“Company”, “we”, “our”), registered under the Ministry of Corporate Affairs, Government of India (CIN: U62099UP2025PTC230480).
This Security Policy describes our approach to data protection, infrastructure security, encryption, monitoring, and compliance for all SmartCarePlus products and services.
2. Scope
This policy applies to:
- All systems, applications, and APIs under the SmartCarePlus domain and subdomains.
- All users and entities including Patients, Clinics, Labs, Pharmacies, Doctors, and Radiologists.
- All environments where SmartCarePlus data is stored, transmitted, or processed (including cloud infrastructure, databases, and backups).
3. Security Frameworks & Compliance
SmartCarePlus follows global and national standards for data security and privacy, including:
- ISO/IEC 27001 – Information Security Management best practices.
- HIPAA-inspired controls – For handling medical and sensitive personal data.
- NIST Cybersecurity Framework – For risk assessment and incident response.
- Indian IT (SPDI) Rules 2011 – For sensitive personal data protection.
- DPDP Act, 2023 – For data minimization, storage limitation, and lawful processing.
4. Infrastructure & Hosting Security
4.1 Data Centers & Regions
-
Indian users: Data stored in Mumbai (India) region.
-
International users: Data stored in US Central region.
-
Backups are created in the same region as primary data (no cross-border replication).
-
Hosting providers:
- Google Cloud Healthcare (for health data)
- Google Cloud Storage (for encrypted files)
- Hostinger VPS (India) (for configurations and scheduling metadata)
4.2 Physical Security
- Cloud vendors ensure ISO 27001 and SOC 2 Type II certified physical environments.
- All data centers have 24/7 security, biometric access control, and CCTV monitoring.
5. Data Encryption
| Stage | Encryption Method | Description |
|---|---|---|
| In Transit | TLS 1.3 / HTTPS | All client–server communications are encrypted using Transport Layer Security. |
| At Rest | AES-256 | All patient and facility data stored on databases or cloud storage is encrypted using AES-256 encryption. |
| Backups | AES-256 + Region Lock | Backups are encrypted and region-restricted to prevent unauthorized replication. |
| Media Files | Google Cloud Server-Side Encryption | Documents, DICOM scans, and reports are encrypted before upload. |
6. Access Control & Authentication
- Role-Based Access Control (RBAC): Access is restricted by role — Patient, Clinic, Doctor, Lab, Pharmacy, Radiologist, or Admin.
- Least Privilege Principle: Every employee and system has only the minimum required permissions.
- Multi-Factor Authentication (MFA): Mandatory for internal admin access and system dashboards.
- Audit Logs: Every access, data update, and login event is recorded with timestamps.
- Session Management: Idle sessions auto-expire, and tokens are rotated regularly.
7. Data Segregation
- Data belonging to one facility or patient is logically separated from others.
- Each organization has isolated storage and database records with unique IDs.
- APIs enforce authorization using secure tokens and layered authentication middleware.
8. Application & Network Security
8.1 Application Security
- Secure coding practices aligned with OWASP Top 10 standards.
- Automatic input validation and output sanitization prevent SQL Injection and XSS attacks.
- Dependencies are regularly scanned for vulnerabilities.
8.2 Network Security
- Firewalls and VPC isolation protect backend servers.
- Regular patching of servers and load balancers.
- Network access restricted using allow-lists and VPNs for administrative access.
9. Monitoring & Intrusion Detection
- Continuous 24/7 monitoring for abnormal behavior and access attempts.
- Automated alerts for unauthorized login, brute-force attempts, and unusual traffic spikes.
- Integration with cloud provider’s Security Command Center for real-time threat detection.
10. Security Audits & Testing
- Quarterly security audits are performed internally and by external cybersecurity partners.
- Penetration testing is conducted bi-annually across production and staging environments.
- Vulnerability disclosure program (VDP): Researchers can responsibly report vulnerabilities at security@smartcodejunctioninfinity.com.
11. Data Backup & Disaster Recovery
- Daily incremental and weekly full backups.
- Backups stored in encrypted regional vaults with integrity checks.
- Disaster recovery (DR) plan tested semi-annually to ensure RTO < 6 hours and RPO < 24 hours.
- Automatic failover between cloud instances for critical components.
12. Incident Response & Breach Management
In case of a data breach or security incident:
- Immediate containment and root-cause analysis are initiated.
- Impact assessment and risk evaluation are performed.
- Affected systems are isolated, and credentials rotated.
- Notification sent to affected users and authorities as per legal obligations.
- Full post-incident report is documented and improvements tracked.
Incident response timeline: Initial notification within 72 hours of confirmed breach.
13. Employee & Internal Security
- All employees undergo security background checks before onboarding.
- Mandatory annual information security training and confidentiality agreements.
- Restricted internal data access; production data is never used in testing environments.
- Monitoring of insider threats through behavioral anomaly detection.
14. Third-Party Security & Compliance
SmartCarePlus works with trusted, globally recognized providers:
| Third Party | Service | Compliance |
|---|---|---|
| Razorpay | Payment gateway | PCI DSS compliant |
| Meta (WhatsApp Cloud API) | Communication delivery | GDPR compliant |
| Google Cloud Healthcare | Data storage | HIPAA & ISO 27001 certified |
| AWS | Reminders scheduler | ISO 27001 certified |
| Hostinger VPS | Configurations | ISO 27001 certified |
| Firebase Cloud Messaging (FCM) | Notifications | ISO 27001 compliant |
Each partner enforces security and privacy standards at par with global benchmarks.
15. Data Retention and Destruction
- Data retained for 7 years or as required by healthcare regulations.
- Secure deletion via cryptographic erasure for expired or user-deleted data.
- Hard drives and backup media are sanitized before disposal.
- Audit logs of all deletion activities are maintained.
16. Cross-Border Data Transfers
- Data of Indian users is not transferred outside India.
- International users’ data resides in their regional servers (US Central).
- Cross-border transfers occur only through Standard Contractual Clauses (SCCs) ensuring equivalent data protection.
17. Security Responsibilities of Users
To maintain security:
- Do not share account credentials or OTPs.
- Use secure devices and updated browsers.
- Log out after each session.
- Report suspicious activity to security@smartcodejunctioninfinity.com immediately.
18. Continuous Improvement
SmartCarePlus continuously evaluates and enhances its security posture. Regular reviews of this Security Policy ensure alignment with evolving technologies, threats, and regulations.
19. Reporting Security Concerns
If you believe you have found a vulnerability or security flaw in SmartCarePlus:
- Email security@smartcodejunctioninfinity.com or grievance@smartcodejunctioninfinity.com
- Include a brief description, screenshots, and reproduction steps (if applicable). We will acknowledge receipt within 48 hours and keep you informed of progress.
20. Linked Documents
This Security Policy should be read with:
21. Contact
Smart Code Junction Infinity Pvt. Ltd. ✉️ security@smartcodejunctioninfinity.com 🌐 https://smartcodejunctioninfinity.com
© Smart Code Junction Infinity Private Limited
All rights reserved. SmartCarePlus is a product of Smart Code Junction Infinity Pvt. Ltd. https://smartcareplus.in