Compliance posture

Data residency: Indian (ap-south-1) for both database and object storage.
Encryption: AES-128 Fernet PHI fields at rest; AWS KMS-backed keys; S3 SSE-KMS for files.
Audit: every PHI access is logged; the DPO reviews logs monthly.
NDHM/ABDM alignment: consent-driven sharing via the national Consent Manager; HIP and HIU registered.
PCI scope: SAQ A — card data never touches our servers (collected by the payment partner SDK).
Backups: Supabase point-in-time recovery, S3 versioning + lifecycle to Glacier.

For audits or security disclosures contact security@vividh.health.

How can I help?