Data Protection Statement

Commitment to Security: Swizton Medtech Pvt. Ltd. (HeartIQ) is committed to ensuring the confidentiality, integrity, and availability of your data in alignment with the Digital Personal Data Protection Act, 2023, and ISO/IEC 27001:2022 standards.

1. Data Encryption Standards

We leverage Microsoft Azure’s native encryption mechanisms to protect data throughout its lifecycle. Our encryption architecture ensures that no unencrypted storage or transmission of sensitive data is permitted.

1.1 Encryption at Rest

All data stored within the platform is protected using AES-256 bit encryption. This includes:

Databases: All Azure MySQL relational databases are encrypted by default.
Medical Files: PDFs, reports, and diagnostic images stored in Azure Blob Storage are automatically encrypted.
Infrastructure: Virtual machines, managed disks, and backups utilize managed infrastructure encryption.

1.2 Encryption in Transit

All data transmitted to, from, or within the platform is encrypted using industry-standard protocols:

Transport Layer Security (TLS): We enforce TLS 1.2 or higher for all connections.
HTTPS: All web and API communication is secured via HTTPS.
Unencrypted protocols (HTTP, FTP) are strictly prohibited.

1.3 Key Management

We utilize Microsoft Azure Key Management Services. Encryption keys are managed, rotated, and protected by Azure to ensure maximum security. Direct access to encryption keys by personnel is not permitted.

2. Data Retention & Lifecycle

Our retention policy ensures that personal and health data is retained only for as long as necessary for business, clinical, or legal purposes. We adhere to the principles of Purpose Limitation and Storage Limitation.

2.1 Retention Schedule

The following retention periods apply to data processed by the platform:

Data Category	Description	Retention Period
User Account Data	Profile, login details, demographics	Account lifetime + 3 years
Health Records (PGHD)	Self-reported health data	Account lifetime + 10 years
Clinical Records	Doctor notes, prescriptions, reports	Account lifetime + 10 years
Lab & Imaging Reports	Diagnostic PDFs and CCTA images	Account lifetime + 10 years
Billing Records	Invoices and transactions	8 years (Statutory)
Audit & Access Logs	Security and access activity	3 years

Note: "Account lifetime" refers to the period until account closure or the last clinical interaction.

2.2 Secure Disposal

When data reaches the end of its retention period, it is securely deleted. This involves logical deletion followed by physical deletion where applicable. All deletion activities are logged for audit purposes.

3. Backup & Business Continuity

To ensure data availability and resilience against failure, we maintain a robust Backup and Recovery framework.

3.1 Backup Strategy

Database Backups: Automated daily full backups with continuous transaction log backups.
Document Backups: Snapshots of medical PDFs and images stored in Azure Blob Storage.
Security: All backups are encrypted (AES-256) and stored in logically isolated recovery vaults.

3.2 Recovery Objectives

In the event of a system failure or data loss incident, we operate with the following targets:

Recovery Time Objective (RTO): We aim to restore systems within 24 hours.
Recovery Point Objective (RPO): The maximum acceptable data loss is limited to 24 hours.

3.3 Reliability

Backup integrity is verified through monitoring, and restoration tests are performed at least annually to ensure data recoverability.