Compliance

HIPAA Compliance

Last updated: March 2026

Our Commitment

ArogyaSync is designed with healthcare data protection at its core. While our primary operational jurisdiction is India (governed by the DPDP Act 2023), we implement safeguards aligned with HIPAA requirements for partners operating in the United States.

Technical Safeguards

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest (RDS, S3)
• Role-based access control with JWT authentication
• Tamper-evident blockchain audit trails for clinical data batches
• Automatic session expiration and token revocation
• Device-level authentication with unique JWT tokens

Administrative Safeguards

• Designated security officer and incident response procedures
• Comprehensive audit logging of all data access and modifications
• GDPR-compliant data subject access request (DSAR) endpoints
• Breach notification infrastructure and incident management
• Regular security reviews and penetration testing

Physical Safeguards

• AWS ap-south-1 data center with SOC 2 Type II certification
• No local storage of PHI on edge devices beyond transient OCR processing
• GPG-signed firmware updates to prevent unauthorized device modification

Business Associate Agreement

ArogyaSync is prepared to execute a Business Associate Agreement (BAA) with covered entities. Contact our compliance team to initiate the process.

Contact

For HIPAA-related inquiries, contact compliance@arogyasync.com.