Security & Compliance

We build security into every layer of our platform to protect your sensitive health information. Your data's safety is our highest priority.

Data Security & Encryption

We employ state-of-the-art encryption to ensure your data is protected at all times.

Encryption in Transit

All data sent between you, our app, and our servers is encrypted using industry-standard TLS 1.3 or higher. This prevents eavesdropping and ensures your data is private during transmission.

Encryption at Rest

Your sensitive personal data, including all health and financial records, is encrypted using strong AES-256 encryption while stored in our databases and file systems. This protects your data even in the rare event of a physical breach.

Secure Key Management

All encryption keys are managed using secure, access-controlled systems with regular rotation policies. Keys are stored separately from the data they protect, adding a critical layer of security.

Infrastructure & Application Security

Our platform is built on a secure foundation, with security considerations in every part of our development lifecycle.

  • Secure Cloud Hosting: Our infrastructure is hosted on, a leading cloud provider that is compliant with global security standards.
  • Data Segregation: We use a multi-tenant architecture that logically and (where applicable) physically isolates your data from all other users.
  • Internal Access Control: We enforce strict, role-based access controls (RBAC) for all employees. Our team can only access sensitive data on a strict, audited, need-to-know basis.
  • Secure Code Development: We integrate security reviews, vulnerability scanning, and dependency checks into our software development lifecycle (SDLC).

User Account Protection

We provide you with the tools to keep your account secure. We offer Multi-Factor Authentication (MFA) to add a powerful extra layer of security to your login. We strongly recommend all users enable this feature.

Incident Response & Breach Notification

We have a formal incident response plan in place to act swiftly in the event of a security incident. In compliance with the Kenya Data Protection Act, we are committed to notifying the Office of the Data Protection Commissioner (ODPC) within 72 hours of any confirmed data breach and notifying affected users without undue delay.

Compliance & Attestations

Our platform is designed to comply with the highest legal and regulatory standards.

Kenyan Data Protection Act (DPA), 2019

Our platform is built to be fully compliant with the DPA. We uphold all principles of data protection and guarantee all data subject rights as defined by the Act.

Kenyan Digital Health Act, 2023

We are fully compliant with the Digital Health Act, ensuring the security, interoperability, and mandated 20-year retention of personal health information as required by the Digital Health Agency.

Pharmacy and Poisons Board (PPB)

Our e-pharmacy services adhere to the 'Guidelines for Internet Pharmacy Services' issued by the PPB, including pharmacist verification and valid prescription requirements.

Secure Government Integrations (KRA & SHA)

Our platform securely integrates with Kenyan government services as required by law. This includes encrypted API connections to the Kenya Revenue Authority (KRA) for eTIMS invoicing and to the Social Health Authority (SHA) for health insurance processing.

International Frameworks (HIPAA-aligned)

While our primary compliance is with Kenyan law, our security controls for protecting health data are aligned with the principles and technical safeguards of international best practices, including the U.S. Health Insurance Portability and Accountability Act (HIPAA).