HIPAA Compliant · NDPR Certified · Google Cloud Premium Tier

Enterprise-Grade Security

Your health records are protected by military-grade encryption, patient-controlled OTP access, and the world's most secure cloud infrastructure. We built Medtrix so that only you decide who sees your data — and for how long.

Get Started SecurelyView Compliance

You Control Who Sees Your Data

Unlike traditional health systems where providers have unrestricted access, Medtrix puts patients in complete control. Your records are locked by default — doctors must request access, and you must explicitly grant it via OTP for every session.

Patient-Controlled Access
No doctor, nurse, or staff member can view your health records without your explicit permission. You decide who sees your data and when.
OTP-Gated Retrieval
To access your records during a consultation, you must generate a One-Time Password from your dashboard and share it with your doctor. Without your OTP, your data stays locked.
Time-Limited Sessions
Once a doctor accesses your records via OTP, the session is time-bound to the consultation. When the consultation ends, access is automatically revoked — no persistent access is retained.
Read-Only, No Export
Doctors view records in a secure, read-only interface. Copy, download, screenshot, and print functions are restricted. Data exists only in the secure session — nothing is stored on the doctor's device.
Full Audit Trail
Every time someone accesses your records, it's logged permanently — who, when, what they viewed, and from where. You can review your access history from your patient dashboard at any time.
Revocable Permissions
You can revoke a doctor's or facility's access to your records at any time from your account settings. Revocation is immediate and permanent until you re-authorize.

Comprehensive Security Features

Multiple layers of protection keep your healthcare data safe and secure.

AES-256 Encryption at Rest
Active
All health records, personal data, and sensitive information are encrypted using AES-256 — the same standard used by governments and military organizations worldwide. Data is unreadable without the correct decryption keys.
TLS 1.3 Encryption in Transit
Active
Every connection between your device and our servers is secured with TLS 1.3 — the latest transport encryption protocol. No data travels unencrypted, whether from web, mobile, or USSD channels.
OTP-Verified Data Access
Active
Doctors cannot view patient records without explicit patient consent via a One-Time Password (OTP). Patients must generate and share an OTP before any healthcare provider can access their data — putting patients in full control.
Transient Doctor Access
Active
When doctors access patient records via OTP, data is displayed in a read-only, session-bound view. Doctors cannot download, copy, print, or permanently store patient data. Access automatically expires after the consultation ends.
Role-Based Access Control (RBAC)
Active
Every user sees only the data relevant to their role. Patients see their own records. Doctors see only what the patient has authorized. Nurses, pharmacists, and lab staff have scoped access. Administrators manage operations — not clinical data.
HIPAA Compliance
Certified
Full compliance with the Health Insurance Portability and Accountability Act. We implement all required administrative, physical, and technical safeguards to protect Protected Health Information (PHI).
NDPR Certified Data Protection Officer
Certified
Medtrix has a certified Data Protection Officer (DPO) as required by the Nigeria Data Protection Regulation (NDPR). Our DPO oversees all data handling practices, conducts impact assessments, and ensures ongoing regulatory compliance.
Google Cloud Platform — Premium Tier
Active
Our infrastructure runs on Google Cloud Platform's Premium Tier — the most secure cloud hosting available globally. Google Cloud holds SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, HIPAA, FedRAMP, and PCI DSS certifications.
Comprehensive Audit Trails
Active
Every access to health records is logged with who accessed it, when, from where, and what actions were taken. Audit logs are immutable, retained for 6+ years, and available for regulatory review at any time.
Data Isolation & Row-Level Security
Active
Patient data is logically isolated using row-level security policies. Database queries are constrained to return only data the requesting user is authorized to see — enforced at the database engine level, not just the application layer.
No Third-Party Data Sharing
Active
We never sell, trade, or share health data with advertisers, data brokers, insurers, or employers. Third-party service providers (payment, communications) operate under strict data processing agreements and never access health records.
Real-Time Threat Detection
Active
24/7 automated security monitoring with intrusion detection, anomaly alerting, and automated threat response. Suspicious access patterns are flagged and blocked in real-time before data is compromised.

Hosted on Google Cloud Platform

The world's most secure and trusted cloud infrastructure

Infrastructure Certifications

  • SOC 1, SOC 2, SOC 3
  • ISO 27001 / 27017 / 27018
  • HIPAA (with BAA)
  • FedRAMP Authorized
  • PCI DSS Level 1
  • CSA STAR

Why Google Cloud?

  • Premium Tier networking — fastest, most reliable global backbone
  • Data encrypted at rest by default across all services
  • Custom-designed Titan security chips in every server
  • Zero-trust security model — no implicit trust between services
  • Global load balancing with DDoS protection included
  • 99.95% uptime SLA for production workloads

Compliance Standards

We meet and exceed industry compliance requirements across multiple frameworks.

HIPAA
Health Insurance Portability and Accountability Act — the gold standard for healthcare data protection in the United States. Covers administrative, physical, and technical safeguards for PHI.
Compliant
NDPR
Nigeria Data Protection Regulation — Nigeria's comprehensive data protection framework. Medtrix maintains a certified Data Protection Officer and conducts regular Data Protection Impact Assessments (DPIA).
Compliant
GDPR Principles
General Data Protection Regulation — we apply GDPR data minimization, purpose limitation, and consent principles to all user data regardless of location.
Compliant
SOC 2 Type II
Service Organization Control 2 — our hosting infrastructure (Google Cloud) maintains SOC 2 Type II certification, independently audited for security, availability, and confidentiality.
Certified
ISO 27001
International standard for Information Security Management Systems. Our infrastructure provider holds ISO 27001 certification; Medtrix is pursuing direct certification.
In Progress
PCI DSS Level 1
Payment Card Industry Data Security Standard — all payment processing is handled by Paystack, a PCI DSS Level 1 certified provider. Medtrix never stores card details.
Certified

Certified Data Protection Officer

As required by the Nigeria Data Protection Regulation (NDPR)

Medtrix has appointed a certified Data Protection Officer (DPO) in full compliance with the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act (NDP Act 2023). Our DPO is responsible for:

  • Overseeing all personal data processing activities and ensuring regulatory compliance
  • Conducting Data Protection Impact Assessments (DPIA) before any new data processing
  • Serving as the point of contact for NITDA (National Information Technology Development Agency) and data subjects
  • Monitoring and auditing internal data handling practices across all departments
  • Managing data breach response, notification, and remediation procedures
  • Ensuring all team members receive data protection training annually
  • Reviewing and approving data processing agreements with third-party service providers

For data protection inquiries, contact our DPO at dpo@medtrix.com

Security Best Practices

Our comprehensive approach to security includes these key practices.

  • Regular penetration testing and vulnerability assessments by independent security firms
  • Mandatory security training for all team members with access to systems or data
  • Background checks for all personnel with access to healthcare data
  • Documented incident response plan with 72-hour breach notification commitment
  • Automated daily encrypted backups with geographically distributed disaster recovery
  • Secure Software Development Lifecycle (SSDLC) with code review and static analysis
  • Third-party dependency scanning and automated vulnerability monitoring
  • 64-character cryptographic session tokens — no predictable session IDs or weak authentication
  • Automatic session timeouts and re-authentication for sensitive operations
  • Data Protection Impact Assessments (DPIA) conducted before new data processing activities

Trust & Transparency

We believe in complete transparency about our security practices. Our security documentation and compliance certificates are available for review.

Security DocumentationContact Security Team