Security & Trust Centre

Your Health Data is Safe With Us

Planeazzy is built on a foundation of security, privacy, and trust. We apply enterprise-grade security to protect every patient record, appointment, and communication on our platform — in full compliance with the Kenya Data Protection Act 2019.

End-to-End Encryption

All data in transit is protected by TLS 1.3. All data at rest is encrypted using AES-256. Your health records are never transmitted in plain text.

KDPA 2019 Compliant

We are registered as a Data Controller with Kenya's Office of the Data Protection Commissioner (ODPC). Our practices are fully compliant with the Kenya Data Protection Act 2019.

Secure Data Storage

Patient data is stored in encrypted, access-controlled databases hosted in Kenya and the African region. Regular automated backups ensure data availability and integrity.

Role-Based Access

Strict access controls ensure that staff and healthcare providers can access only the data they need to perform their roles. Every access is logged and audited.

Breach Response

We have a tested incident response plan. ODPC notification within 72 hours and patient notification without undue delay, as required by KDPA Section 41.

Regular Security Audits

Independent penetration testing, vulnerability assessments, and code security reviews are conducted quarterly by certified cybersecurity professionals.

Technical Security Measures

Password Security

All passwords are hashed using bcrypt with a minimum cost factor of 12. We enforce strong password policies and support account lockout after failed attempts. Passwords are never stored in plain text or reversible format.

TLS 1.3 Everywhere

All communications between your browser/app and our servers are encrypted using TLS 1.3. HTTP connections are automatically redirected to HTTPS. HSTS (HTTP Strict Transport Security) is enforced with a 1-year max-age.

Session Management

Sessions use cryptographically random tokens, are invalidated on logout, and expire after periods of inactivity. Session tokens are transmitted only over HTTPS and protected with HttpOnly and SameSite cookie flags.

CSRF & XSS Protection

All state-changing API requests require valid CSRF tokens. All user-supplied data is sanitised and encoded before output. Content Security Policy (CSP) headers prevent script injection attacks.

Rate Limiting & DDoS

API endpoints are rate-limited per IP address to prevent brute-force attacks. Distributed denial-of-service (DDoS) protection is provided at the network edge. Automatic account lockout triggers after repeated failed login attempts.

Audit Logging

All access to patient health records, administrative actions, and API calls are logged with timestamps, user identifiers, and IP addresses. Logs are stored securely for 12 months and are immutable once written.

Backups & Recovery

Automated encrypted backups run every 6 hours. Point-in-time recovery is available for up to 35 days. Backups are stored in geographically separate secure facilities. Recovery time objective (RTO): <4 hours. Recovery point objective (RPO): <6 hours.

File Upload Security

Uploaded files (photos, documents) are validated for MIME type, size, and content before storage. Files are stored outside the web root and served through controlled endpoints. File names are randomised to prevent enumeration.

Compliance & Certifications

Kenya Data Protection Act 2019

ODPC Registered Data Controller

Kenya Health Act 2017

Medical records compliant

ISO 27001 (In Progress)

Information security management

Computer Misuse Act 2018

Cybercrime compliance

Your Security Rights & Controls

As a Planeazzy user, you have the following security controls available to you at all times:

View all active login sessions and revoke them remotely
Download a full copy of all your personal data
Permanently delete your account and all associated data
Control which healthcare providers can access your records
Opt out of non-essential data processing at any time
Receive immediate notification of any data breach affecting you
Change your password and revoke all sessions instantly
File a data subject access request (DSAR) at any time
Withdraw consent for data processing (with exceptions for legal obligations)
Lodge a complaint with the ODPC if unsatisfied with our response

Platform Security Status

All Systems Operational Updated: Jun 3, 2026

All security certificates valid and current

Security

Last penetration test: No critical vulnerabilities found

Audit

Backup verification: All backups healthy

Infrastructure

ODPC registration: Current and valid

Compliance

Found a Security Vulnerability?

We take security seriously and work with the security community through our responsible disclosure programme. If you discover a vulnerability, please report it to us before disclosing publicly. We commit to acknowledging reports within 24 hours and resolving critical issues within 72 hours.

security@planeazzy.com PGP key available on request