Security Policy
Last updated: 18 May 2026
This policy describes how CaladriusHealth.AI protects Customer Data — consistent with our obligations under Section 8(5) of the Digital Personal Data Protection Act, 2023.
Infrastructure and Data Residency
All Customer Data is processed and stored on-premises within India. We do not use third-party cloud services for Customer Data storage. On-premises AI inference is our default. When optional cloud AI features are used (Anthropic Claude, Google Gemini), they receive only the minimum data necessary for the specific inference task and are not permitted to retain it.
Encryption
- In transit: End-to-end encryption for all data moving between clients and our systems
- At rest: End-to-end encryption for all stored Customer Data
- Credentials: Sensitive authentication data encrypted at the database level
Access Control
- Role-based access control (RBAC) with formally documented roles
- Multi-factor authentication (MFA) required for all employee access to production systems
- Principle of least privilege — employees access only what their role requires
- All production system access is logged and monitored
- Access rights reviewed quarterly; revoked immediately on departure
Network Security
- Network segmentation between production, staging, and development environments
- Firewall and intrusion detection systems in place
- Regular vulnerability scans
- Penetration testing at least annually
AI Security
- AI inference is isolated per customer — no cross-customer data leakage through AI features
- Prompt injection risks are actively monitored and mitigated
- All AI sub-processors are vetted for security practices before engagement
- AI inputs and outputs are logged for security audit purposes
Incident Response
In the event of a personal data breach (as defined in Section 2(u) of the DPDPA), CaladriusHealth will:
- Investigate and contain the breach without undue delay
- Notify the Data Protection Board of India as required under Section 8(6) of the DPDPA
- Notify affected Customers within 72 hours of becoming aware of the breach
- Maintain a record of all incidents in an internal incident register
Physical Security
Our on-premises infrastructure is housed in facilities with controlled physical access, CCTV monitoring, and restricted entry for authorised personnel only.
Employee Security
- Security awareness training for all employees on joining and annually thereafter
- All staff sign confidentiality agreements before accessing production systems
- Background verification conducted for roles with access to Customer Data
Business Continuity
- Daily backups of all Customer Data
- Backup restoration tested regularly
- Business continuity and disaster recovery plan reviewed annually
Certifications
| Certification | Status |
|---|---|
| ABDM HIP/HIU Registration | Active |
| CERT-In Empanelment | In progress |
| ISO 27001 | In progress |
| SOC 2 Type II | In progress |
Audits
Customers may request an audit of our security practices with a minimum of 15 days’ written notice, limited to matters directly relevant to Customer Data, and no more than once per calendar year.
Security contact: Connect@caladriushealth.ai