Data & Security Policy
1. Data Governance Principles
MedStock operates on the core principle that robust data governance is fundamental to building trust in B2B supply chain finance. Our data policy is tailored to align with ISO 27001 standards and the Kenyan Data Protection Act, ensuring transparency, integrity, and confidentiality across all platform layers.
2. Cloud Infrastructure & Hosting
Recognizing the sensitivity of pharmaceutical and financial data, our entire digital infrastructure is highly resilient and locally optimized:
- Local Data Residency: Core databases and financial ledgers are hosted in localized, highly secure data centers serving the East African region, ensuring data sovereignty.
- Redundancy: We utilize Multi-AZ (Availability Zone) deployments, ensuring that in the event of hardware failure, a hot-standby system immediately takes over with zero data loss.
- Automated Backups: Point-in-time recovery (PITR) backups are taken continuously, stored in geographically isolated, encrypted vaults.
3. Encryption Standards
MedStock treats all user data as highly sensitive, applying zero-trust encryption principles:
Data at Rest
All databases, object storage (S3/R2), and backups are encrypted at rest using industry-standard AES-256 encryption. Master keys are securely rotated via robust Key Management Services (KMS).
Data in Transit
All communications between client devices (web/mobile) and our APIs, as well as internal microservice communications, are strictly encrypted using TLS 1.2 and TLS 1.3.
4. Access Controls & Authentication
We enforce strict principles of least privilege and robust authentication across the MedStock platform:
- Multi-Factor Authentication (MFA): Administrative access and high-risk client actions (like loan disbursal or password changes) require MFA (OTP via SMS, Email, or WhatsApp).
- Role-Based Access Control (RBAC): Both our internal admin portals and client-facing dashboards use strictly defined roles to ensure users can only access data pertinent to their duties.
- Blind Search Indexes: Personally Identifiable Information (PII) like phone numbers and emails are hashed securely, with separate blind indexes permitting search without exposing raw data.
5. Audits and Compliance
MedStock proactively monitors the platform to prevent misconfigurations and malicious activities:
- Activity Logging: All critical API calls and data modifications are logged immutably, generating a clear audit trail of *who* did *what* and *when*.
- Third-Party Penetration Testing: We engage certified, independent security firms annually to perform grey-box penetration tests on our frontends and APIs.
- CBK Regulatory Audits: As a licensed entity, our platform undergoes routine checks to verify our compliance with anti-fraud, AML, and credit handling guidelines.
6. Incident & Breach Response
In the highly unlikely event of a data breach or security incident, our Incident Response Team is activated immediately to isolate the threat.
As per the requirements of the Office of the Data Protection Commissioner (ODPC), we commit to:
- Notifying the regulator within 72 hours of discovering any breach posing a severe risk to users' rights and freedoms.
- Notifying affected Retailers and Wholesalers without undue delay, providing transparent details about the breach and remediation steps taken.