Security Statement

This statement summarises, at a high level, the security posture of the PharmIT Platform. It is consistent with Rule 8 of the IT (Reasonable Security Practices) Rules, 2011 and aligned with internationally recognised information-security standards. It does not modify the Terms of Service, Privacy Policy, or DPA.

1. Hosting and infrastructure

• Production infrastructure is hosted in India on a Tier-III-equivalent data centre, in line with the RBI Payment Data Localization Direction (2018) and applicable Indian law.
• The operating environment is hardened to recognised industry benchmarks and reviewed periodically.
• The application stack is kept current; security advisories from operating-system and platform vendors are applied on a routine schedule.

2. Access control

• Strong authentication is required for all administrative access; password-only access to production systems is disabled.
• Per-engineer credentials are used; shared credentials are not permitted.
• Application processes run under non-privileged accounts; the principle of least privilege is applied at the OS, database, and application layers.
• Step-up authentication is required for high-privilege actions.
• Multi-tenant isolation is enforced in code and at the data layer; cross-tenant access is structurally blocked.

3. Network and perimeter

• Only necessary ports are exposed externally; all other traffic is filtered.
• Brute-force and abuse mitigations are in place at the perimeter and the application layer.
• Rate limiting protects authentication and other sensitive endpoints.
• HTTPS is enforced; HTTP requests are upgraded automatically. Modern transport-layer security policies and HSTS are configured.

4. Encryption

• In transit: all client-to-server and integration traffic is encrypted using current industry-standard transport-layer security.
• At rest: data is stored on encrypted volumes where the host platform supports it; backups are encrypted at rest.
• Passwords: stored as one-way cryptographic hashes using a current, strong, salted hashing scheme. Plain-text passwords are never stored, logged, or transmitted by the Platform.
• Application secrets and integration credentials: stored using application-level encryption.

5. Auditing and monitoring

• Every business-data change is captured in an immutable audit trail with actor, timestamp, and before / after values.
• Authentication and access events are logged and retained in line with the CERT-In Direction No. 20(3)/2022 dated 28 April 2022 and applicable law.
• Changes to security-sensitive configuration and code are continuously monitored.
• File-integrity, configuration-integrity, and intrusion-detection controls are deployed at the host and application layers.
• Regular vulnerability scanning and patch management are part of the operational baseline.

6. Backup and disaster recovery

• Backups are taken on a routine schedule and retained for a period appropriate to data sensitivity and regulatory requirements.
• Backups are encrypted at rest and stored within India.
• Recovery objectives (RPO / RTO) are governed by the Service Level Agreement.
• Restore drills are conducted periodically to validate readiness.

7. Incident response

1. Detect. Multi-layered alerting from application, host, and network controls; supplemented by manual reports.
2. Triage. Severity classification within defined response timelines.
3. Contain. Affected components are isolated; compromised credentials are revoked.
4. Notify.
   • CERT-In within the timeline mandated by the April 2022 Direction, where reportable.
   • Data Protection Board of India per §8(6) of the DPDP Act 2023, where a personal-data breach has occurred.
   • Affected Tenants without undue delay.
5. Eradicate & recover. The root cause is remediated and service restored.
6. Post-incident review. A root-cause summary is shared with affected Tenants, and lessons are applied.

8. Personnel security

• Personnel handling personal data are subject to confidentiality and IP-assignment obligations.
• Background verification is performed where lawful and appropriate.
• Periodic security and privacy training is mandatory.
• Production access follows least privilege and is reviewed regularly; access is revoked promptly on role change or departure.

9. Application security

• The software development life-cycle includes security review for sensitive changes.
• Automated checks flag patterns commonly associated with injection, broken access control, and tenant-isolation drift before release.
• Dependency management includes routine vulnerability auditing of third-party libraries.
• The OWASP Top 10 informs design choices, code review, and testing.

10. Responsible disclosure

If you have identified a security vulnerability, please report it to security@pharmit.in with sufficient technical detail to reproduce. Please do not publicly disclose until we have had a reasonable opportunity to remediate.

• We will acknowledge reports within a reasonable time.
• We will coordinate with you on remediation timelines.
• We will not pursue legal action against good-faith researchers who follow this policy and who do not access, alter, or exfiltrate data beyond what is necessary to demonstrate the issue.

11. Contact

Security questions: security@pharmit.in