We take the protection of your health data seriously. Here's exactly how we keep it safe.
Zenia Care is built on the principle that healthcare data deserves the highest level of protection available. We treat every piece of information on our platform — from appointment records to voice-generated clinical notes — as sensitive by default.
Our security programme covers people, processes, and technology. We continuously evaluate and improve our controls to stay ahead of emerging threats, and we hold ourselves accountable through independent audits and certifications.
All data transmitted to and from Zenia is encrypted in transit using TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject connections over older or insecure protocols.
All data stored on our servers is encrypted at rest using AES-256, including database volumes, backup snapshots, and object storage. Encryption keys are managed via a dedicated key management service (KMS) with strict access policies and automatic key rotation.
Zenia enforces a least-privilege access model across all systems. Users — both internal employees and external platform users — are granted only the permissions necessary for their specific role. Access is reviewed regularly and revoked immediately upon role change or offboarding.
All administrative access to production systems requires multi-factor authentication (MFA). We do not permit shared credentials or password reuse. Privileged access to patient data is logged in full and subject to automated anomaly detection.
Zenia's infrastructure is hosted on enterprise-grade cloud platforms that maintain their own comprehensive security certifications. Our architecture is designed for isolation, redundancy, and resilience.
We use network segmentation to separate environments (development, staging, production) and apply strict firewall rules to limit inter-service communication to the minimum required. All cloud resources are managed through infrastructure-as-code (IaC) to ensure consistency and auditability.
Security is embedded throughout our software development lifecycle (SDLC). Every code change undergoes automated security testing before deployment. Our engineering team follows secure coding standards aligned with OWASP guidelines.
We conduct regular penetration tests by accredited third-party security firms. Critical findings are remediated within 48 hours; high-severity findings within 7 days. All findings are tracked to resolution.
By default, all patient data and clinical records are stored within data centres located in India, in compliance with applicable data localisation requirements. We do not transfer personal health information outside of your designated region without explicit consent or legal basis.
Backups are performed daily and are encrypted and stored in geographically separate locations. Backup integrity is verified on a regular schedule. Data is retained for the period required by applicable law and our contractual obligations, and is securely deleted thereafter.
Zenia is designed to align with healthcare data protection standards including HIPAA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation) where applicable to our customers and data subjects.
We maintain detailed records of our data processing activities and undergo periodic independent audits to verify compliance. Our data processing agreements (DPAs) are available upon request for enterprise customers.
Zenia maintains a formal incident response plan that is tested at least twice per year through tabletop exercises. Our security team monitors systems 24/7 using automated threat detection and alerting.
In the event of a confirmed data breach affecting your personal health information, we will notify you without undue delay and within the timeframe required by applicable law (typically 72 hours for GDPR; 60 days for HIPAA). Notifications will include the nature of the incident, the data affected, and the steps we are taking to mitigate harm.
Every Zenia employee and contractor who may access patient data undergoes a thorough background verification before being granted access. All staff complete mandatory security awareness training at onboarding and annually thereafter.
Access to production systems is provisioned on a need-to-know basis and is logged at all times. Employees are bound by confidentiality obligations and data handling policies. Access is revoked on the day of departure.
We welcome responsible disclosure of security vulnerabilities. If you have discovered a potential security issue in our platform, we ask that you report it to us privately so that we can investigate and remediate it before any public disclosure.
Please submit vulnerability reports to our security team via our Contact Us page, clearly marked "Security Vulnerability Report." We commit to acknowledging your report within 2 business days and providing a remediation timeline within 7 business days.
While Zenia takes extensive measures to protect your data, security is a shared responsibility. The following practices will help you maintain the security of your Zenia account:
If you suspect your account has been compromised, please contact us immediately via our Contact Us page and we will take immediate steps to secure your account.
For security-related enquiries, vulnerability disclosures, or to request our security documentation (including DPAs or BAAs), please reach out to us through the following channel:
