1. Infrastructure & Location
All Doctor's Bench EHR data — including patient records, session notes, practitioner accounts, and billing data — is stored on cloud infrastructure physically located within the Republic of Kenya. This satisfies both our own security principles and the data localisation intent of Section 50 of the Kenya Data Protection Act 2019.
| Component | Standard / Provider Type | Location |
|---|---|---|
| Primary data centre | ISO 27001-certified, Tier III | Nairobi, Kenya |
| Disaster recovery / backup | ISO 27001-certified, encrypted | Secondary Kenya location |
| CDN (static assets only) | No patient data — static UI files only | Global edge, no PHI |
| Database | Encrypted at rest, field-level encryption on PHI | Kenya (primary + replica) |
| AI processing (Smart Notes) | Isolated, ephemeral — no persistent storage | Kenya |
2. Encryption
3. Access Controls
Access to patient data is governed by a role-based access control (RBAC) model consistent with the HIPAA Minimum Necessary standard (§164.502(b)):
| Role | Access Level | Plan |
|---|---|---|
| Solo Practitioner | Full access to own clients only | Professional |
| Practitioner (Clinic) | Access to own clients; view shared records with supervisor consent | Clinic/Team |
| Supervisor | Read access to assigned team's records for supervision purposes | Clinic/Team |
| Clinic Admin | Billing, scheduling, and team management — no clinical record access | Clinic/Team |
| Convo Africa Operations | Infrastructure access only; no access to individual patient records without a documented support ticket and practitioner consent | Internal |
Two-factor authentication (2FA) is available for all accounts and is mandatory for Clinic Admin and Supervisor roles. Automatic session timeout occurs after 30 minutes of inactivity, consistent with HIPAA §164.312(a)(2)(iii).
4. Audit Logging & Monitoring
We maintain comprehensive, immutable audit logs for all access events, consistent with HIPAA's Audit Control standard (§164.312(b)) and NIST SP 800-92:
- Every login attempt (successful and failed), with timestamp and IP address
- Every access to a patient record, including the record accessed and the accessing user
- Every data export or download event
- Every Smart Notes draft generation, approval, and rejection event
- Every account configuration change
- Every administrative action by Convo Africa staff
Audit logs are stored separately from operational databases and cannot be altered or deleted by any user, including administrators. Automated anomaly detection alerts our security team to suspicious patterns — such as bulk data access, logins from unusual locations, or multiple failed authentication attempts — in real time.
5. Backup & Disaster Recovery
- Backup frequency: Full database backups daily; incremental backups every 6 hours
- Backup encryption: All backups encrypted with AES-256, separate keys from primary data
- Backup location: Geographically separate, Kenya-based secondary data centre
- Backup testing: Restore tests conducted monthly; full DR simulation conducted bi-annually
- Recovery Time Objective (RTO): <4 hours for critical patient data
- Recovery Point Objective (RPO): <1 hour (maximum data loss window)
- Retention: Backups retained for 30 days before secure deletion
6. Secure Development
- OWASP Top 10: All development follows OWASP secure coding guidelines, with mandatory security review for all code changes affecting patient data
- Penetration testing: External penetration tests conducted bi-annually by independent security firms; critical findings remediated within 48 hours
- Dependency scanning: Automated scanning for vulnerable dependencies in CI/CD pipeline; high-severity CVEs patched within 24 hours
- Secrets management: No credentials stored in source code. All secrets managed through a dedicated secrets management system with access logging
- Staging environment: All changes tested in a fully isolated staging environment using synthetic (not real patient) data before production deployment
7. Smart Notes Security
Smart Notes processes session content to generate draft clinical notes. The following specific security measures apply to AI-assisted processing:
- Ephemeral processing: Session data passed to the Smart Notes engine is processed in an isolated, ephemeral container. No data is retained by the AI processing layer after the draft note is returned to the practitioner.
- Encrypted in transit: All data passed to and from the Smart Notes engine is encrypted with TLS 1.3. The processing environment is isolated from the general internet.
- Draft expiry: Unapproved Smart Notes drafts are automatically and permanently deleted after 72 hours. They are not accessible by any other user or system.
- No model training on PHI: Patient health data is not used to train, fine-tune, or evaluate AI models without separate, documented opt-in consent from the practitioner and patient.
- Audit trail: Every Smart Notes generation, approval, edit, and rejection event is logged in the immutable audit trail.
- Human oversight mandatory: Smart Notes is architecturally designed so that no draft can be saved to a patient record without a practitioner's explicit approval action. There is no bypass or automatic-save path.
8. Compliance Mapping
| Security Control | Kenya DPA 2019 | GDPR | HIPAA | ISO 27001 |
|---|---|---|---|---|
| Encryption at rest | s.41(c) | Art.32(1)(a) | §164.312(a)(2)(iv) | A.10.1 |
| Encryption in transit | s.41(c) | Art.32(1)(a) | §164.312(e)(2)(ii) | A.13.2 |
| Access controls / RBAC | s.41(b) | Art.32(1)(b) | §164.312(a)(1) | A.9 |
| Audit logging | s.42 | Art.30 | §164.312(b) | A.12.4 |
| 2FA / authentication | s.41(b) | Art.32(1)(b) | §164.312(d) | A.9.4 |
| Automatic session timeout | s.41 | Art.32 | §164.312(a)(2)(iii) | A.11.2 |
| Backup & recovery | s.41(d) | Art.32(1)(c) | §164.308(a)(7) | A.12.3 |
| Breach notification (72hr) | s.43 | Art.33 | §164.408 | A.16 |
| Data minimisation | s.25(c) | Art.5(1)(c) | §164.502(b) | A.18.1 |
| Data stored in Kenya | s.49–50 | Art.44–49 | N/A (US law) | A.11 |
| DPIA for high-risk processing | s.31 | Art.35 | §164.308(a)(1) | A.18.1 |
| DPO designation | s.24 | Art.37 | Privacy Officer | A.18.1 |
9. Incident Response SLA
| Incident Severity | Definition | Response Time | Resolution Target |
|---|---|---|---|
| Critical (P1) | Active breach of patient data or complete Platform outage | 30 minutes | 4 hours containment; 72hr ODPC notification |
| High (P2) | Suspected breach; significant feature degradation affecting clinical use | 2 hours | 24 hours |
| Medium (P3) | Non-critical feature failure; single user data issue | 4 hours | 48 hours |
| Low (P4) | Minor bug or cosmetic issue | 1 business day | Next release cycle |
All P1 and P2 incidents are personally escalated to our DPO and CEO. Practitioners affected by P1 incidents are notified within 24 hours of confirmed impact.
10. Sub-Processors
The following categories of sub-processors are authorised under our Terms of Service. All sub-processors are bound by data processing agreements requiring equivalent security standards and prohibiting them from using data for any purpose other than providing their specified service to us:
| Category | Purpose | Data Accessed | Location |
|---|---|---|---|
| Cloud Infrastructure | Hosting and database services | All platform data (encrypted) | Kenya |
| Payment Processing | M-Pesa and card payment facilitation | Payment transaction data only (PCI-DSS compliant) | Kenya |
| SMS / Notifications | Appointment reminders and transactional alerts | Phone number and appointment time only — no clinical data | Kenya / EAC |
| Email Service | Transactional emails (invoices, account notifications) | Email address and non-clinical account data | Kenya / EAC |
| Security Monitoring | Intrusion detection and log analysis | Access logs (pseudonymised) — no patient data | Kenya |
We will notify you of any changes to our sub-processor list at least 30 days in advance. To request the current sub-processor list, contact privacy@doctorsbench.care.