Skip to main content

Security and GDPR

Last updated:

1. Why security is non-negotiable

Zaniora processes health data, classified as a special category by GDPR art. 9. This requires reinforced measures: encryption, hard isolation between clinics, EU-only hosting, audit logs and incident notification procedures.

2. Where data is stored

  • Physical servers in the European Union (Spain).
  • Encrypted, isolated backups on Backblaze B2 (EU region).
  • CDN and DDoS protection by Cloudflare (EU data residency configured).
  • No international transfers outside the EEA.

3. Encryption

  • TLS 1.3 in transit. HSTS enabled. Forced HTTPS.
  • Database encrypted at rest at the server volume level.
  • Object storage encrypted at rest.
  • Application-level encryption with per-tenant keys for the most sensitive fields (practitioner private notes, patient portal tokens).
  • Backups encrypted with a separate key before leaving the server.
  • Passwords stored with Argon2id, never in plain text.

4. Multi-tenant isolation

  • Every clinic has a unique tenant ID that travels with every record.
  • PostgreSQL Row Level Security filters every query by tenant automatically.
  • Double validation in the application layer: tenant ownership is verified on every request.

5. Patient portal access

  • Access via unique link + numeric PIN chosen by the practitioner.
  • PIN stored hashed (Argon2id with salt). Rate-limited with temporary block on repeated failures.
  • Access logs (timestamp, truncated IP, PIN result) visible to the practitioner.
  • Practitioner can revoke access instantly and regenerate.
  • Patient session expires after 30 minutes of inactivity.

6. GDPR compliance

Zaniora acts as the data processor. The practitioner is the controller. We sign a data processing agreement (GDPR art. 28) with each, covering:

  • Specific processing purposes.
  • Technical and organisational measures.
  • Authorised subprocessors.
  • Assistance with data subject rights (access, rectification, erasure, portability).
  • Breach notification within 72 hours of detection.

7. Backups and recovery

  • Daily database backup.
  • Staggered retention: 7 daily + 4 weekly + 12 monthly.
  • Monthly restore drills. An untested backup is no backup.
  • Recovery time objective (RTO): 4 hours.
  • Recovery point objective (RPO): 24 hours.

8. Monitoring and incident response

  • Production errors centralised in Sentry (no PII).
  • 24/7 uptime monitoring with instant alerts.
  • Structured logs without personal patient data.
  • Documented incident response, with client and Spanish DPA notification if applicable.

9. Data deletion

  • Deleting a patient: 30-day soft-delete, then permanent deletion.
  • Closing your account: data export (JSON + PDF) available. After 30 days, permanent deletion.
  • Backups are purged automatically at the end of their rotation cycle.

10. Reporting a vulnerability

Email security@zaniora.com. Please do not publish details before giving us a reasonable window to respond and mitigate. We acknowledge responsible reports publicly with your permission.