Skip to content

Security & Compliance

Patient data protection is not a feature — it's the foundation. Here's how Vitora keeps your facility compliant and your patients safe.

Six Pillars of Protection

Encryption at Rest & in Transit

All patient PII (national ID, phone numbers) is encrypted with AES-128 via Fernet. API traffic is TLS 1.3. Database connections use SSL.

Role-Based Access Control

Granular RBAC with 12+ roles — from receptionist to org admin. Sensitive patient records (HIV, GBV) require explicit permission to view.

Full Audit Trail

Every data access, modification, and login is logged with user, IP, timestamp, and purpose. Logs are retained for 7 years per Kenya DPA 2019.

MFA Enforcement

TOTP-based multi-factor authentication is mandatory for admin and senior clinical roles. Configurable grace period for onboarding.

Secure Hosting

Backend runs on Azure Container Apps with managed SSL. Database on Neon PostgreSQL (EU region). No patient data leaves the compliant zone.

Data Minimization & Consent

Only necessary data is collected. Patient consent is tracked with timestamps. Data subject rights (export, deletion) are supported via API.

Active Shift Enforcement

Clinical write operations (creating encounters, prescriptions, lab orders) are only allowed when the staff member has an active shift. This prevents unauthorized after-hours data entry and ensures every clinical action is traceable to a scheduled, clocked-in practitioner.

Admin roles (ADMIN, ORG-ADMIN, OWNER) are exempt to ensure operational continuity.

Regulatory Compliance

Kenya Data Protection Act 2019

Compliant

Purpose limitation, storage limitation (7-year audit retention), integrity & confidentiality (Fernet encryption), accountability (full audit trail), data subject rights.

SHA Digital Health Agency

Integrated

All 15 DHA APIs. Secure token management, encrypted claim payloads, real-time eligibility verification.

FHIR R4 Interoperability

Supported

Patient, Encounter, Observation, and other clinical resources exposed in FHIR R4 format for interoperability with third-party systems.

KHIS / DHIS2 Reporting

Automated

MOH 705A, 705B, 731, and other mandatory reports generated automatically from clinical data. No manual entry required.

Questions About Security?

Our team is happy to walk through our security practices, share our DPIA, or discuss your facility's specific compliance needs.

Contact UsBook a Demo
Chat on WhatsApp