Compliance & Security

Last updated: January 2, 2026

Disclaimer: This policy is provided for general information and does not constitute legal advice. For specific legal questions, please consult with a qualified legal professional.

1. Our Commitment to Security

At Evoli Sense, protecting your data and maintaining the security of the Clinic CRM platform is paramount. We recognize that healthcare providers handle sensitive patient information and that data breaches can have serious consequences. We have implemented comprehensive security measures across all aspects of our Service to ensure confidentiality, integrity, and availability of your data.

Our security strategy is built on defense-in-depth principles, meaning we deploy multiple layers of protection to defend against various threat vectors. Regular security assessments, vulnerability testing, and incident response procedures are integral to our operations.

2. Role-Based Access Control (RBAC)

We implement granular role-based access control to ensure that users only have access to data and features necessary for their role.

  • Predefined Roles: Clinic Start plan includes standard roles (Admin, Doctor, Nurse, Reception) with predetermined permissions.
  • Custom Roles: Clinic Grow and Enterprise plans allow clinics to define custom roles with specific permissions at the module and action level.
  • Least Privilege Principle: Users are granted the minimum permissions required to perform their job functions.
  • Role Groups: Multiple roles can be organized into groups for easier management in larger organizations.
  • Permission Matrix: Permissions can be configured at the module level (e.g., EMR, Appointments, Inventory) and action level (Create, Read, Update, Delete).

3. Audit Logging & Monitoring

Comprehensive audit logs are maintained for all access to patient data and system changes. These logs are crucial for compliance, security monitoring, and incident investigation.

  • Activity Tracking: Every access to patient records, configuration changes, and user actions are logged with timestamps.
  • Audit Trail: Complete audit trail shows who accessed what data, when, from where, and what action was taken.
  • Retention Periods: Audit logs are retained based on your plan (Clinic Start: 15 days; Clinic Grow: 60 days; Clinic Enterprise: 180-360 days).
  • Tamper-Proof Logs: Logs are protected against unauthorized modification or deletion.
  • Real-Time Monitoring: We monitor logs in real-time to detect suspicious activities and security anomalies.

4. Data Encryption

All sensitive data is encrypted both in transit and at rest using industry-standard encryption protocols.

  • Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2 or higher encryption, protecting against interception and man-in-the-middle attacks.
  • HTTPS/SSL: The entire platform is accessible only over secure HTTPS connections.
  • Encryption at Rest: Sensitive data stored on our servers is encrypted using AES-256 or equivalent encryption standards.
  • Key Management: Encryption keys are stored separately from encrypted data and managed securely with access controls.
  • Certificate Management: SSL/TLS certificates are regularly renewed and managed by trusted certificate authorities.

5. Multi-Tenant Isolation

The Clinic CRM platform is designed with strict multi-tenant isolation to ensure data separation and security.

  • Logical Isolation: Each clinic's data is logically isolated at the application level, with strict access controls preventing cross-tenant access.
  • Data Segregation: Patient records, clinic configurations, and user data for one clinic are completely separated from other clinics.
  • Database Isolation: At the database level, queries are scoped to the authenticated clinic, preventing data leakage.
  • API Security: All API calls include tenant-level authentication and authorization checks.
  • Regular Testing: We conduct regular security tests to verify isolation is working correctly.

6. Backups & Disaster Recovery

We maintain regular automated backups and comprehensive disaster recovery procedures to protect against data loss.

  • Automated Backups: Patient data and clinic information are backed up automatically and frequently.
  • Geographically Distributed: Backups are stored in geographically distributed locations to protect against regional failures.
  • Point-in-Time Recovery: We maintain multiple backup snapshots to allow recovery to specific points in time.
  • Backup Testing: Regular backup restoration tests are performed to ensure backups are valid and recoverable.
  • Recovery Time Objective (RTO): In case of a data center failure, we aim to restore service within 4 hours.
  • Recovery Point Objective (RPO): Data loss in case of failure is limited to the last backup (typically within the last hour).

7. Vulnerability Management

We proactively identify and remediate security vulnerabilities to maintain a secure platform.

  • Regular Assessments: We conduct periodic security assessments and penetration testing to identify vulnerabilities.
  • Code Review: Security-focused code reviews are performed on all new code before deployment.
  • Dependency Updates: Third-party libraries and dependencies are regularly updated to patch known vulnerabilities.
  • Vulnerability Disclosure: We follow responsible disclosure practices for reported security issues.
  • Patch Management: Security patches are deployed promptly, with critical patches deployed within 48 hours.

8. Infrastructure Security

Our hosting infrastructure is secured with multiple layers of protection.

  • Cloud Platform: We utilize major cloud providers (AWS, Google Cloud, or Azure) with built-in security features.
  • Network Security: Firewalls, intrusion detection systems, and DDoS protection are in place.
  • Access Controls: Physical and logical access to servers is restricted and monitored.
  • Load Balancing: Traffic is distributed across multiple servers for redundancy and performance.
  • API Rate Limiting: API endpoints are rate-limited to prevent abuse and brute force attacks.

9. Regulatory Alignment & Compliance

While Clinic CRM is not certified against specific healthcare regulations, our platform is designed with healthcare compliance principles in mind.

  • GDPR Principles: We adhere to privacy-by-design principles similar to GDPR, including data minimization, purpose limitation, and storage limitation.
  • HIPAA-Aligned Best Practices: Our security controls are aligned with concepts from HIPAA, including encryption, access controls, and audit logging.
  • Indian IT Act: Our platform complies with the Indian Information Technology Act, 2000, and applicable data protection guidelines.
  • Data Protection: We implement security and privacy measures aligned with modern data protection standards.
  • Data Residency: Data is stored within India by default, with options for other regions available upon request.

Important Note: For specific regulatory compliance needs (e.g., HIPAA compliance, GDPR compliance), please contact us to discuss your requirements and available options.

10. Employee Security & Access

We implement strict controls over employee access to customer data.

  • Background Checks: All employees undergo background checks before employment.
  • Need-to-Know Basis: Employees only have access to customer data necessary for their role (e.g., support staff assisting with technical issues).
  • Access Logging: All employee access to customer data is logged and monitored.
  • Confidentiality Agreements: All employees sign confidentiality and security agreements.
  • Training: Security and privacy training is provided to all employees, with additional training for roles handling customer data.

11. Enterprise Security Features

Enterprise plan customers have access to additional security and compliance features:

  • Single Sign-On (SSO): Integration with your organization's identity provider (SAML 2.0, OAuth 2.0) for centralized authentication.
  • Advanced Audit Logs: Custom retention periods (up to 360 days) and detailed logging of all activities.
  • Data Processing Agreement (DPA): A comprehensive DPA is available for organizations with specific data protection requirements.
  • Service Level Agreement (SLA): Enterprise customers receive guaranteed uptime and support response times.
  • Custom Retention Policies: Flexible data retention and deletion policies tailored to your needs.
  • Dedicated Account Management: A dedicated security and support contact for your organization.
  • Security Assessments: Periodic security assessments and compliance reports can be provided.

12. Incident Response

In the unlikely event of a security incident, we have a comprehensive incident response plan:

  • Detection: Continuous monitoring to detect security incidents in real-time.
  • Response Team: Immediate activation of incident response team upon detection.
  • Investigation: Thorough investigation to determine the scope and impact of the incident.
  • Notification: Affected customers are notified promptly with details about the incident and recommended actions.
  • Mitigation: Swift actions taken to contain the incident and prevent further damage.
  • Post-Incident: After-action review to identify lessons learned and improve security.

13. Responsible Disclosure

We welcome reports of security vulnerabilities and follow responsible disclosure practices.

If you discover a security vulnerability in the Clinic CRM platform, please report it to:

Email: security@evolisense.com

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability
  • Your contact information for follow-up

We commit to acknowledging your report within 24 hours and providing updates on our investigation and remediation efforts. Please do not publicly disclose the vulnerability until we have had time to address it.

14. Third-Party Security

We carefully vet and manage third-party vendors who have access to our systems or customer data.

  • Vendor Assessment: All vendors undergo security assessments before engagement.
  • Data Processing Agreements: All vendors sign data processing agreements with strict data protection requirements.
  • Regular Audits: We conduct periodic audits of critical vendors.
  • Liability: Vendors are required to maintain appropriate liability insurance.

15. Contact Us

For questions about security, compliance, or to discuss your specific compliance requirements, please contact us at:

Evoli Sense Security & Compliance Team
Email: security@evolisense.com
General Support: support@evolisense.com
Website: https://evolisense.com

We are committed to maintaining the highest standards of security and compliance to protect your clinic's data and patient information.