PPraxy
Go Digital Now
FeaturesSign in

Data handling

Last updated:

Draft for internal reference — basic content and outline only. Review with legal counsel (and verify DPDP Act 2023 obligations) before publishing.

Praxy is built India-first. This page explains who is responsible for what, where data lives, who can touch it, and how we keep it safe — the detail behind our 'DPDP compliant' commitment.

1. Roles: who is responsible

For patient data, the doctor (or practice) is the Data Fiduciary — they decide why and how patient data is processed. Praxy is the Data Processor, acting on the doctor's instructions. For account and billing data of doctors, Praxy is the fiduciary.

2. Data residency

Personal and patient data is stored in India. Our data tiers let a practice move from shared infrastructure to a dedicated database, or to their own self-hosted database, without re-platforming.

  • Shared — default; logically isolated per practice.
  • Dedicated — a separate database per practice.
  • Bring-your-own — your own self-hosted database.

3. Sub-processors

We use a small set of infrastructure providers (hosting, authentication, payments, file storage) to run Praxy. Each is bound by data-protection obligations.

To develop

  • Publish the named sub-processor list with region and purpose.
  • Confirm each sub-processor's India data-residency support.

4. Security measures

  • Encryption in transit (TLS) and at rest.
  • Role-based access controls; least-privilege staff access.
  • Practice-scoped data isolation so one practice cannot see another's data.
  • Audit logging and regular reviews.

To develop

  • Document key management, backup cadence, and pen-test / audit schedule.

5. Data principal rights

Patients (data principals) can request access, correction, or erasure of their data. Because the doctor is the fiduciary, requests are fulfilled by the practice; Praxy provides the tools to action them.

6. Breach notification

If we become aware of a personal-data breach, we will notify affected fiduciaries (doctors) and the Data Protection Board as required, and support remediation.

To develop

  • Define the breach-response SLA and notification template.

7. Retention, deletion & portability

Data is retained while a practice is active. On request or account closure, we provide export and then delete data per our retention schedule. The bring-your-own tier gives practices full custody of their data.

To develop

  • State export formats and deletion timelines.

8. Contact

Questions about data handling, or to reach our Grievance Officer / DPO: [privacy@praxy.in].