Why doctors ask about security

• Confidentiality duties: Healthcare professionals must protect patient information and assess partner security.
• Legal obligations: POPIA requires “appropriate, reasonable” safeguards and breach notifications.
• Clinical risk: Integrity and availability of records impact care quality and continuity.
• Reputation & trust: Clear security practices help providers and patients trust the platform.

Our security commitments

• Maintain layered technical and organisational measures against loss, damage, unauthorised access, or unlawful processing.
• Limit access via role‑based access control (RBAC) and the principle of least privilege; staff use MFA.
• Encrypt data in transit (TLS 1.2+) and, where supported by our providers, at rest.
• Log access and key actions for auditability and security investigations.
• Regularly backup critical data and test restore procedures.

Note: We purposely avoid publishing sensitive internal details; additional documentation can be shared under NDA on request.

Technical controls (high‑level)

• Transport security: HTTPS/TLS, HSTS, and secure cookie flags.
• Application security: input validation, parameterised queries, output encoding, CSRF protections.
• Authentication: hashed passwords, session hardening, optional MFA where available.
• Secrets management: environment‑level secrets; no credentials in code repositories.
• Security headers: CSP (where feasible), Referrer‑Policy, X‑Content‑Type‑Options.
• Network protections: provider WAF/rate‑limiting; bot/abuse detection.

Organisational measures

• Access governance: joiner‑mover‑leaver process; least privilege; periodic reviews.
• Policies & training: confidentiality, acceptable use, incident response, POPIA awareness.
• Vendor management: due diligence for sub‑processors; DPAs and confidentiality undertakings.
• Data lifecycle: defined retention and deletion procedures for records.

Hosting & data handling

• Hosted with reputable cloud providers; physical security and infrastructure controls handled by the provider.
• Backups and monitoring for availability; recovery time objectives defined for key systems.
• Payment data is processed by trusted payment gateways; card data is not stored on our servers.

Application security practices

• Secure SDLC with code review and dependency scanning.
• Library updates and vulnerability patching aligned to risk.
• Test environments separated from production; limited test data.

Incident response & breach notification

• Detect, contain, and eradicate incidents following a documented playbook.
• Assess impact and notify affected individuals and the Information Regulator where required by law.
• Post‑incident review and corrective actions.

Responsible vulnerability disclosure

If you believe you’ve found a security vulnerability, please email security@mzansidoctors.com with details and steps to reproduce. Do not publicly disclose before we’ve had a chance to investigate and remediate. We’ll acknowledge receipt and keep you updated.

For urgent issues, include “URGENT” in the subject line. Please avoid accessing patient data or degrading service in testing.

Sub‑processors

We rely on carefully selected service providers for infrastructure, payments, email, and (if enabled) analytics or messaging. Each provider is bound by data processing terms and confidentiality commitments. A current list is available upon request.

Patient data rights

• Access, correction, objection, restriction, and deletion requests are handled under POPIA and our Privacy Policy.
• Use privacy@mzansidoctors.com for data subject requests.