MyHealthX Security

How we protect your medical data

Last updated: April 2026

MyHealthX is built with security as a foundation, not an afterthought. Your medical data is protected by multiple layers of security controls including encryption, access controls, audit logging, and monitoring. We continuously work to strengthen our security practices.

🔐

Data Encryption

Field-level encryption (AES-256-GCM)
Sensitive medical data — phone numbers, emergency contacts, allergies, medications, and medical conditions — are encrypted before storage. Even direct database access shows only encrypted values.
HTTPS everywhere
All supported traffic between your device and our servers is encrypted using HTTPS/TLS.
Data protection at rest
Data stored in our infrastructure is protected with encryption at rest as provided by our cloud infrastructure provider.
🛡️

Access Control

Phone-based authentication
Login requires OTP verification sent to your registered phone number via WhatsApp or SMS. No passwords to steal.
Strict data isolation
You can only access your own medical data. Our database rules enforce this at the infrastructure level — not just in the application.
Admin authentication
Administrative access is controlled using Firebase Custom Claims and is limited to authorized accounts. Admin actions are logged and monitored.
Doctor verification
Healthcare providers must register and receive manual admin approval before accessing any patient data.
🚨

Emergency Page Security

4-minute session tokens
When your QR is scanned in an emergency, the session expires after 4 minutes. Bookmarking the page does not work — a fresh scan is always required.
Masked phone numbers
Emergency contacts are shown with masked phone numbers (e.g., 910XXXX66). Full numbers are never exposed in the browser.
Server-side call routing
When someone calls your emergency contact through the scan page, the call routes through our server — the actual phone number never appears in the browser.
Rate limiting
Emergency page access is rate-limited to prevent abuse. Every scan is logged with timestamp and anonymised IP address.
🔍

Upload Security

Virus scanning
Uploaded files are routed through scanning controls where enabled before acceptance. Infected files are rejected.
File type verification
We verify file content at the byte level (magic byte check), not just the file extension. This prevents renamed malware from bypassing filters.
Strict type whitelist
Only JPG, PNG, and PDF files are accepted. All other file types are blocked.
Size limits
Maximum file size is 10 MB per upload.
📊

Monitoring & Alerting

Real-time security alerts
Suspicious activity triggers instant alerts to our security team — including repeated failed logins, unusual access patterns, and virus detections.
Complete audit trail
Every login, profile edit, report upload, emergency scan, and administrative action is logged with timestamp and device information.
Automated anomaly detection
Per-IP and per-phone rate limiting automatically blocks brute force attacks on login and OTP verification.
🌐

Infrastructure Security

Data residency
Our primary Firebase infrastructure is configured in the Mumbai, India (asia-south1) region. Some service providers may process limited operational metadata according to their service terms.
Security headers
Our platform enforces HSTS, Content Security Policy, X-Frame-Options, and other security headers to prevent common web attacks.
No third-party data sharing
Your medical data is never shared with advertisers, analytics providers, or any third party. Virus scanning happens on our own infrastructure.
Webhook verification
All incoming webhooks are verified using HMAC-SHA256 signatures to prevent tampering.
📋

Compliance

DPDPA 2023
We comply with India's Digital Personal Data Protection Act, 2023. You have the right to access, correct, and delete your data at any time.
Consent-based processing
We collect your data only with explicit, informed consent. You can withdraw consent at any time through your dashboard.
Right to erasure
You can delete your account and all associated data. Deletion is processed within 30 days, with a recovery window if you change your mind.
Breach notification
In the event of a data breach, we will notify the relevant authorities and affected users as required under applicable law, including the DPDPA 2023.

Responsible Disclosure

If you discover a security vulnerability in our platform, please report it responsibly to security@myhealthx.co.in. We take every report seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had an opportunity to address them.

Questions about our security practices?

support@myhealthx.co.in

MyHealthX Private Limited — The Next-Gen Care.