Carelens
Security & Compliance

Your health data deserves
the highest protection.

Carelens is built with security at its core. We comply with all applicable Indian laws and follow international best practices to ensure your health records are safe, private, and under your control.

Security standards we follow

ISO 27001:2022

Information Security Management System certified. Annual audits by accredited third-party assessors.

SOC 2 Type II

Independently audited for security, availability, processing integrity, confidentiality, and privacy.

AES-256 Encryption

All health data encrypted at rest (AES-256) and in transit (TLS 1.3). Zero-knowledge architecture for sensitive records.

CERT-In Compliant

Full compliance with CERT-In Directions 2022 including 6-hour incident reporting and 180-day log retention.

Annual Penetration Testing

Third-party VAPT conducted annually. Bug bounty programme for responsible disclosure.

HIPAA-Aligned Practices

While HIPAA is a US regulation, we voluntarily follow its safeguards as a global best practice for health data.

Indian regulatory compliance

Digital Personal Data Protection Act (DPDPA), 2023

Carelens is fully compliant with the DPDPA, India's comprehensive data protection law. Our obligations include:

  • Lawful purpose and consent: We collect health data only with your explicit, informed consent. You can withdraw consent at any time from your account settings.
  • Purpose limitation: Your data is used solely for providing health record management, AI-powered insights, and doctor sharing — never for advertising, profiling, or sale to third parties.
  • Data minimisation: We collect only the data necessary to deliver our services. No unnecessary tracking or behavioural profiling.
  • Accuracy and storage limitation: You can update or delete your records at any time. Data is retained only as long as you maintain an active account or as required by law.
  • Data Principal rights: You have the right to access, correct, erase, and port your data. Requests are processed within 72 hours.
  • Children's data: Health records for minors (under 18) can only be managed by a parent or legal guardian through verified family profiles, in compliance with Section 9 of the DPDPA.
  • Grievance redressal: Our Data Protection Officer can be reached at contact@carelens.in. We resolve grievances within the timelines prescribed by the Act.

Information Technology Act, 2000

As an intermediary handling sensitive personal data, Carelens complies with:

  • IT (Reasonable Security Practices) Rules, 2011: We implement ISO 27001-aligned security practices for handling sensitive personal data including health records and medical history.
  • IT (Intermediary Guidelines) Rules, 2021: We maintain required due diligence, appoint a Grievance Officer, Nodal Contact Person, and Chief Compliance Officer as mandated for significant social media intermediaries and platforms.
  • Section 43A: We maintain comprehensive security procedures to protect sensitive personal data from unauthorised access, damage, or disclosure.
  • Section 72A: Strict internal policies prevent disclosure of personal information in breach of lawful contract. Violations are treated as criminal offences under the Act.

CERT-In Directions, 2022

We comply with all directions issued by the Indian Computer Emergency Response Team:

  • Cyber security incidents are reported to CERT-In within 6 hours of detection
  • System logs are maintained and stored within India for a rolling period of 180 days
  • NTP synchronisation with NIC or NPLI servers for accurate timestamping
  • KYC and registration data retained for 5 years as required

Electronic Health Records (EHR) Standards

Carelens follows the EHR Standards as notified by the Ministry of Health and Family Welfare (MoHFW):

  • Health data is structured per SNOMED-CT and ICD-10 coding standards where applicable
  • Interoperability with HL7 FHIR for data exchange with hospitals and labs
  • Compliance with Ayushman Bharat Digital Mission (ABDM) health data standards
  • Support for ABHA (Ayushman Bharat Health Account) integration for national health ID linking

Ayushman Bharat Digital Mission (ABDM)

Carelens is aligned with the National Digital Health Ecosystem:

  • Integration with Health Information Exchange and Consent Manager (HIE-CM)
  • Support for ABHA number creation and linking
  • Consent-based health data sharing as per ABDM consent framework
  • Compliance with Health Data Management Policy published by NHA

Indian Medical Council Regulations

Our doctor-facing features comply with the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002. The AI agent provides informational summaries only and does not diagnose, prescribe, or replace clinical judgement. All AI-generated insights carry clear disclaimers that they are not medical advice. Doctor-patient data access is temporary, consent-based, and time-limited (15-minute expiry links).

Clinical Establishments Act, 2010

For states that have adopted the Clinical Establishments (Registration and Regulation) Act, 2010, Carelens supports healthcare providers in maintaining digital records as required under the Act. Our platform helps clinics and hospitals meet their record-keeping obligations through structured digital health records and audit trails.

Consumer Protection (E-Commerce) Rules, 2020

As a digital platform, we comply with e-commerce rules including displaying complete entity information, providing clear terms of service, maintaining a 48-hour grievance acknowledgement window, and resolving complaints within 30 days. Our cancellation and refund policies are transparently displayed.

Data localisation and infrastructure

Data residency

  • All health data is stored on servers located within India (Mumbai and Hyderabad regions)
  • No personal health information is transferred outside Indian borders
  • Database backups are encrypted and stored in geographically separate Indian data centres
  • Compliant with RBI data localisation norms for any payment data processed

Infrastructure security

  • Hosted on SOC 2 and ISO 27001 certified cloud infrastructure
  • Web Application Firewall (WAF) protecting against OWASP Top 10 vulnerabilities
  • DDoS protection with automatic traffic scrubbing
  • 99.9% uptime SLA with multi-AZ deployment
  • Automated vulnerability scanning and patching
  • Network segmentation isolating health data from other services

Access controls

  • Role-based access control (RBAC) for all internal systems
  • Multi-factor authentication mandatory for all employees accessing production systems
  • Principle of least privilege — no employee has access to raw health data without audit trail
  • Background verification for all team members handling sensitive data
  • Quarterly access reviews and immediate revocation upon role change or exit

Encryption standards

  • In transit: TLS 1.3 for all API and web traffic. Certificate pinning in mobile apps.
  • At rest: AES-256 encryption for all stored health records and personal data.
  • Key management: Hardware Security Modules (HSM) for encryption key storage. Keys rotated quarterly.
  • Share links: Cryptographically signed, time-limited tokens. Links expire after 15 minutes with no option to extend.

AI safety and responsible use

What the AI agent does and does not do

The Carelens AI agent is designed to help you understand your health records — not to replace your doctor.

  • Does: Summarise lab reports, identify trends in vitals, check medication interactions from published databases, and generate structured summaries for doctor visits.
  • Does not: Diagnose medical conditions, prescribe treatments, provide emergency medical advice, or make clinical decisions.
  • All AI-generated content is clearly labelled and includes a disclaimer that it is not a substitute for professional medical advice.

Data usage for AI

  • Your health data is processed by the AI agent only to serve your queries in real-time
  • We do not use your personal health data to train AI models
  • AI processing happens on secure, India-based infrastructure
  • You can disable AI features at any time from app settings while continuing to use Carelens as a record manager

Medication interaction checking

Drug interaction data is sourced from established pharmaceutical databases and is updated regularly. However, interaction checks are informational and do not account for your complete medical history, allergies, or conditions that only your doctor would know. Always consult your healthcare provider before making medication changes.

Governance and incident response

Incident response plan

  • Dedicated Security Incident Response Team (SIRT) with 24/7 on-call rotation
  • Incidents classified by severity (P0-P3) with defined response and resolution SLAs
  • Mandatory reporting to CERT-In within 6 hours for qualifying incidents
  • Affected users notified within 72 hours of confirmed data breach per DPDPA requirements
  • Post-incident review and root cause analysis published internally within 7 days

Business continuity

  • Recovery Point Objective (RPO): 1 hour — no more than 1 hour of data loss in a disaster
  • Recovery Time Objective (RTO): 4 hours — services restored within 4 hours
  • Automated daily backups with 30-day retention, tested monthly
  • Disaster recovery drills conducted bi-annually

Audit and transparency

  • Annual third-party security audits (ISO 27001 and SOC 2)
  • Annual VAPT (Vulnerability Assessment and Penetration Testing) by CERT-In empanelled auditors
  • Internal compliance reviews conducted quarterly
  • Transparency reports published annually detailing government data requests and actions taken

State-specific compliance

Indian states have varying regulations regarding clinical establishments, health data, and digital services. Carelens maintains compliance with state-specific requirements including:

Karnataka

Compliance with the Karnataka Private Medical Establishments Act, 2007 and Karnataka Shops and Commercial Establishments Act for our registered office. IT/ITeS establishment registration maintained as required.

Maharashtra

Compliance with the Bombay Nursing Homes Registration Act, 1949 for any partner clinical establishments. Maharashtra Shops and Establishments Act registration for operational offices.

Tamil Nadu

Compliance with the Tamil Nadu Private Clinical Establishments (Regulation) Act, 1997. Support for Tamil language in user interfaces as part of accessibility obligations.

Delhi NCR

Compliance with the Delhi Nursing Homes Registration Act, 1953 for partner establishments. Adherence to Delhi state amendments to the Clinical Establishments Act for digital health record maintenance.

Other states

For states that have adopted the Clinical Establishments (Registration and Regulation) Act, 2010, Carelens ensures its platform and partner integrations meet all applicable digital record-keeping and data handling requirements. We monitor regulatory changes across all Indian states and update our compliance posture accordingly.

Questions about compliance?

Reach our compliance team at contact@carelens.in

Last updated: February 2026