DawaHQ
Get Started Free
🔒 Security & Compliance

Your patients' data is safe with DawaHQ

NDPR compliant. AES-256 encrypted. Role-based access. 99.9% uptime. Built on a foundation of trust — because your patients deserve nothing less.

🇳🇬NDPR Compliant
🔐AES-256 Encrypted
99.9% Uptime SLA
🗂️Data Ownership
🛡️

NDPR Compliance

DawaHQ is built to comply with the Nigeria Data Protection Regulation (NDPR). We operate as a Data Processor on behalf of your hospital (the Data Controller). Patient data belongs to your hospital — not us.

  • Lawful basis for all data processing documented
  • Data Processing Agreement (DPA) available on request
  • Patient right-to-access and right-to-erasure support
  • Data Breach notification procedures in place
  • No patient data sold or shared with third parties — ever
🔒

Encryption at Rest & in Transit

All patient data is encrypted using industry-standard AES-256 at rest. All connections use TLS 1.3, ensuring data in transit cannot be intercepted.

  • AES-256 encryption for all data at rest (Supabase)
  • TLS 1.3 for all API and browser connections
  • Database-level row security — staff only see their hospital's data
  • No plaintext storage of any sensitive medical data
  • Secrets managed via environment variables — never in code
👁️

Role-Based Access Control

DawaHQ uses granular role-based access control (RBAC). Every staff member is assigned a role that limits what they can see and do — preventing accidental or malicious data exposure.

  • Admin — full hospital settings and staff management
  • Doctor — patient records, consultations, prescriptions
  • Nurse — triage, vitals, nursing notes, ward round
  • Pharmacist — pharmacy inventory and dispensing only
  • Lab Technician — lab requests and results only
  • Receptionist — appointments, queue, and basic patient info
  • Radiologist — radiology requests and reports only
📋

Full Audit Logging

Every action taken in DawaHQ is logged with a timestamp and user ID. Admins can review the full audit trail at any time, ensuring accountability across your clinical team.

  • Every record view, edit, and deletion is logged
  • Login and logout events tracked with IP and device info
  • Prescription and dispensing logs with staff attribution
  • Billing and payment action audit trail
  • Lab result entry and sign-off logs

99.9% Uptime & Infrastructure

DawaHQ is hosted on enterprise-grade infrastructure via Supabase (PostgreSQL on AWS) and Vercel (global edge network). We design for high availability so your hospital is never left without access.

  • Hosted on AWS (via Supabase) with multi-region replication
  • Vercel global edge for sub-100ms page loads across Nigeria
  • Automated database backups every 24 hours
  • Point-in-time recovery for database restoration
  • 99.9% uptime SLA for Enterprise customers
🗂️

Data Ownership & Portability

Your hospital owns its data — full stop. You can export all patient records, invoices, and reports at any time. If you leave DawaHQ, your data leaves with you.

  • Full CSV and PDF export of patient records
  • Invoice and billing history export
  • Data deletion on account closure (with 30-day grace period)
  • No data lock-in — standard formats used throughout
  • On-request data migrations for Enterprise customers
🚨

Incident Response

We take security incidents seriously. Our incident response process ensures rapid detection, containment, and notification in the unlikely event of a security event.

  • Automated anomaly detection via Supabase alerts
  • Telegram-based critical alert system for engineering team
  • 24-hour incident response SLA for Enterprise
  • Breach notification to affected hospitals within 72 hours
  • Post-incident report published for transparency
🔧

Secure Development Practices

Security is built into every line of code. Our engineering team follows secure-by-default practices, with server-side validation, parameterised queries, and no client-side trust.

  • All inputs validated server-side — no client trust
  • Parameterised SQL queries — no SQL injection risk
  • Paystack plan codes validated server-side — client cannot override
  • CSRF protection via SameSite cookies
  • Dependency scanning and updates on every deploy

Security questions answered

Who has access to my hospital's patient data?
Only your own hospital's staff accounts (based on their assigned role) can access your patient data. DawaHQ engineers can only access de-identified operational logs — never your clinical records — unless you explicitly grant support access for troubleshooting.
Is DawaHQ HIPAA compliant?
DawaHQ is designed for the Nigerian regulatory environment and is built to NDPR standards. We implement security controls that align with international best practices (similar to HIPAA requirements), but our formal compliance certification is NDPR. Enterprise customers can request a security assessment.
What happens to data if we cancel?
Your data is retained for 30 days after cancellation. During this period you can export everything. After 30 days, data is permanently deleted from our systems. Enterprise customers can negotiate extended retention.
Do you share patient data with third parties?
Never. Patient data is never sold, rented, or shared with any third party for marketing or commercial purposes. The only third parties that may process data are our infrastructure providers (Supabase/AWS, Vercel) under strict data processing agreements.

Found a security vulnerability?

We take security reports seriously. Please email us at security@dawahq.com with details. We aim to respond within 24 hours and resolve critical issues within 72 hours.

Report a Vulnerability