Security Is Non-Negotiable
PearMedica is built security-first. Every layer of the platform — from API authentication to patient data storage — is protected by enterprise-grade security controls and strict regulatory compliance.
Regulatory Compliance
NDPA 2023 Compliant
Full compliance with the Nigeria Data Protection Act 2023, enforced at every layer.
Privacy Policy
Published & accessible
AES-256 Encryption
At rest & in transit
Consent Management
Clear opt-in flows
Data Processing Agreements
B2B template ready
Data Subject Rights
Access, deletion, export
Breach Protocol
72-hour notification
Access Logging
Immutable audit trails
Data Retention
1-year default policy
Data Protection
Encryption & API Key Security
Patient data is never stored in plain text. API keys are hashed and rotatable.
Patient Data Encryption
All patient health information (PHI) is encrypted using AES-256-GCM with per-record initialisation vectors. Data is encrypted at rest in the database and in transit via HTTPS/TLS 1.3.
Algorithm: AES-256-GCM
IV: Per-record random (16 bytes)
Auth Tag: 128-bit (tamper detection)
Key: 32-byte from ENCRYPTION_KEY env varAPI Key Security
API keys are bcrypt-hashed on creation — the full key is shown once and never stored. Only a display prefix (sk_live_) is retained. Keys can be rotated, revoked, and scoped to specific API operations. Rate limiting is enforced per key (default: 100 req/min).
Data De-identification
PHI Tokenization Proxy
Patient demographics are replaced with clinically safe generalizations before any data reaches third-party AI models. The LLM never sees your patients' exact identity.
How It Works
❌ Raw Patient Data
age: 28
location: lagos_nigeria
sex: female
PHI Tokenizer
Server-side only
✅ Sent to AI Model
age_group: 26-30 years
region: Southwest Nigeria
sex: female (clinical necessity)
Narrow Age Bands
Patient age is generalized to clinically precise 3-5 year bands. Paediatric ages use ultra-narrow bands (0-1, 2-4, 5-7) to preserve emergency sensitivity.
Sub-National Regions
Exact city names are replaced with sub-national geopolitical zones (e.g., Southwest Nigeria, Coastal Kenya) — preserving endemic disease context while preventing identification.
Zero PII to LLM
Original patient data stays exclusively on our servers. After the AI responds, real demographics are restored server-side for facility lookup and validation.
Compliant with NDPA 2023 (Nigeria). Security architecture aligned with HIPAA Security Rule (US) and GDPR Article 25 (EU) requirements. Formal certification available for Enterprise customers. Every response includes metadata.phi_tokenized: true for audit verification.
Clinical Safety
Incident Protocol
A 4-level severity classification with strict escalation timelines and continuous improvement.
Near-Miss
AI error detected before patient harm.
Internal review within 7 days
Minor Harm
Temporary discomfort, no medical intervention.
Review within 48 hours
Serious Harm
Medical intervention required, no permanent damage.
Review within 24h, FMOH in 72h
Death / Permanent
Immediate escalation required.
Report within 24 hours
Legal Protection
Liability & Compliance
Clear contractual terms protect both PearMedica and our customers.
Decision Support, Not Diagnosis
PearMedica provides clinical decision support only. Final clinical decisions remain with licensed healthcare providers.
B2B Contract Clauses
Standard templates include indemnification, liability limitations, data protection obligations, and SLA commitments.
Professional Indemnity Insurance
Coverage for AI-driven triage recommendations and clinical decision support — protecting both PearMedica and our customers.
Disaster Recovery
RTO <8 hours, RPO <24 hours. Daily encrypted backups via Supabase. Data localisation to Nigerian data centres available for Enterprise deployments.
Questions About Security?
Our security team is available to discuss compliance requirements, data handling, and enterprise security configurations.