%20(1).png)
ShifaOne.Health Security & Data Protection Policy
Effective Date: February 1, 2025
Last Updated: February 1, 2025
1. Introduction
ShifaOne.Health ("ShifaOne," "we," "our," or "us") is committed to ensuring the highest standards of data security, privacy, and legal compliance in the handling of personal and medical information. We recognize the sensitive nature of healthcare data and are dedicated to protecting user information through robust security controls, ethical data management, and compliance with Pakistani data protection laws.
This Security & Data Protection Policy outlines our practices, responsibilities, and limitations of liability in safeguarding information stored, processed, or transmitted through our platform.
2. Scope
This policy applies to all users, employees, contractors, service providers, and affiliated entities who access, process, or store data through the ShifaOne platform.
3. Data Protection & Security Framework
3.1 Principles of Data Collection & Processing
We adhere to the following data protection principles:
User Control: Users have the ability to manage, modify, or delete their stored medical records.
Purpose Limitation: We collect only the necessary data required for the core functionality of our services.
Transparency: Our data processing methods are clearly communicated to users.
Data Accuracy: We strive to ensure that stored records remain accurate and up to date.
Minimal Data Retention: We do not retain data longer than required for service purposes.
No Unauthorized Access: We implement stringent access controls to prevent unauthorized access to personal data.
3.2 User Rights & Responsibilities
Users of ShifaOne have the following rights:
Right to Access: Users can request access to their medical records.
Right to Modify: Users can update their records to reflect accurate health information.
Right to Delete: Users may request deletion of their records, except where retention is required by law.
Right to Restrict Processing: Users may limit how their data is used.
Right to Data Portability: Users can export their data in a readable format.
User Responsibility
While ShifaOne implements state-of-the-art security measures, users are solely responsible for safeguarding their account credentials and ensuring that their personal devices are secure. Any unauthorized access due to weak passwords, sharing of credentials, or insecure personal device usage is the user’s responsibility.
4. Data Security Measures
4.1 Secure Access & Authentication
Multi-Factor Authentication (MFA) is required for user logins.
Role-Based Access Control (RBAC) ensures that only authorized personnel can access sensitive data.
Automatic Logout mechanisms prevent unauthorized access due to inactivity.
4.2 Data Encryption
At-Rest Encryption: All stored health records are encrypted using AES-256.
In-Transit Encryption: Data transmitted between users and servers is secured using TLS 1.3 encryption.
End-to-End Encryption (E2EE): Secure transmission prevents unauthorized interception.
4.3 Database Security & Tokenization
Personal health information is tokenized, ensuring that sensitive data remains protected even in the event of a system breach.
4.4 Continuous Security Monitoring & Auditing
24/7 monitoring for unauthorized access attempts, unusual activity, and system vulnerabilities.
Periodic penetration testing and internal security audits.
5. Legal Compliance & Data Retention
5.1 Legal Compliance Within Pakistan
ShifaOne operates exclusively under Pakistani law and adheres to applicable health data protection regulations. Any legal disputes arising from data privacy concerns shall be governed solely by Pakistani jurisdiction.
5.2 Data Retention & Deletion Policy
Medical records are stored only as long as necessary to provide our services.
Users may request deletion of their data at any time, except where retention is mandated by Pakistani law.
Upon account termination, all data is securely purged from our systems within 90 days.
6. Third-Party Services & Cross-Border Data Handling
6.1 Third-Party Vendor Security
ShifaOne may engage third-party service providers for cloud storage, analytics, or customer support. We ensure that all third parties:
Adhere to industry security standards.
Do not access, process, or share user data without explicit permission.
6.2 Data Storage & Localization
All user health data is stored within Pakistan unless explicit consent is obtained for storage in other jurisdictions.
Cross-border data transfers will be avoided unless absolutely necessary and permitted by law.
7. Liability & Disclaimer
7.1 No Liability for Data Loss or Breach
ShifaOne employs industry-standard security measures to safeguard user data; however, no system is immune to cyber threats. By using our services, users acknowledge that ShifaOne is not liable for any:
Unauthorized access due to credential misuse, hacking, or data breaches beyond our control.
Loss of medical records due to user error or device malfunction.
Service disruptions, downtime, or technical failures affecting data access.
7.2 No Liability for Medical Decisions
ShifaOne is a health information storage service and does not provide medical advice, diagnoses, or treatment recommendations. Users are solely responsible for consulting qualified healthcare professionals before making medical decisions.
7.3 Indemnification Clause
Users agree to indemnify and hold harmless ShifaOne, its directors, employees, and affiliates against any legal claims, damages, or liabilities arising from:
Misuse of stored health data.
Unauthorized data sharing by users.
Reliance on stored records for medical treatment without consulting professionals.
8. Security Breach Notification & Incident Response
8.1 Incident Detection & Response
Security threats are monitored 24/7.
In case of a suspected breach, affected systems are immediately isolated.
8.2 User & Regulatory Notifications
Affected users will be notified within 48 hours of a confirmed data breach.
Regulatory bodies will be informed where required by Pakistani law.
9. Policy Review & Updates
This policy is reviewed annually and updated based on:
Changes in Pakistani regulations.
Technological advancements in cybersecurity.
User feedback and security audits.
10. Contact & Support
For security concerns, data requests, or policy inquiries, contact:
Data Protection Officer (DPO):
[Name]
[Email]
[Phone]
[Office Address]
By using ShifaOne, users acknowledge that they have read and agreed to this Security & Data Protection Policy.