Security & Compliance
How we isolate your data, control access, and keep sensitive health information safe.
Effective date: 7 July 2026
TriAxis360 handles sensitive health data for clinics, doctors, and patients across multiple organisations on shared infrastructure. This page explains the architecture and practices we use to keep each organisation's data isolated, controlled, and auditable.
1. Multi-tenant data isolation
Every healthcare entity and clinic group is a distinct tenant. Data is scoped to the tenant at the database and application layer, so one clinic's records, patients, and staff are never visible to another. Clinic-group (HQ) views aggregate only the branches that belong to that group.
2. Role-based access control
Every user, owner, admin, doctor, reception, pharmacy staff, or patient, has a role with a defined set of permissions. Access to records, billing, and settings is gated by role, so staff only see what their job requires.
3. Audit logging
Access to and changes made to clinical and billing records are logged. Audit trails are append-only from the application's perspective, so there is a durable record of who accessed or changed what, and when.
4. Encryption
Data is encrypted in transit using TLS. Sensitive credentials and secrets are encrypted at rest. We continue to extend encryption-at-rest coverage as the platform grows.
5. Data residency & hosting
Your data is hosted with reputable cloud infrastructure providers under contractual confidentiality and security obligations. We work towards keeping health data hosted within India wherever practical, consistent with DPDP-aligned practices, and will publish specific data-centre details here as our infrastructure setup is finalised for general availability.
6. Backups
We take regular backups of production data as part of our operational practice so that clinical and billing records can be recovered in the event of an incident. Detailed backup frequency and retention commitments will be published here ahead of general availability.
7. Data export & deletion on exit
If you choose to leave TriAxis360, you can request an export of your organisation's data in a portable format. Once export is confirmed, we delete or anonymise your data from active systems within the timeframes required by applicable law, subject to any records we must legally retain.
8. DPDP alignment
As an India-first platform, we align our data-handling practices with the Digital Personal Data Protection Act, 2023 (DPDP Act): purpose limitation, data minimisation, and honouring data principal rights such as access, correction, and grievance redressal. For patient and clinical data, the healthcare entity is the data fiduciary and TriAxis360 processes that data as their processor, under our agreement with them.
9. Voice scribe: how audio is processed
The real-time voice scribe transcribes what the doctor says during a consultation to draft the note. Recording only starts with the doctor's awareness and consent within the app, the audio is processed solely to generate the transcript, and the doctor reviews and edits the draft before it is saved to the patient record. Audio is not used to make autonomous clinical decisions.
10. AI output is always reviewed
Every AI-assisted output on the platform, consultation drafts, diagnostic report summaries and abnormality flags, and patient timeline trend analysis, is a draft or a flag for a human clinician. The doctor reviews and approves everything before it becomes part of the record. AI does not diagnose, prescribe, or act autonomously.
Contact us
Questions about this document or your data? Reach our team at connect@triaxis360.com or +91 7977701799.