Security Practices

FASTCLINIC LIMITED ("Fastclinic") implements a security programme designed for enterprise healthcare workloads, aligned with recognised frameworks and with obligations under the Nigeria Data Protection Act 2023 (NDPA 2023). This document summarises key technical and organisational measures. It is descriptive, not a warranty; specific commitments may appear in your Order, data processing agreement, or SLA.

Detailed control matrices, penetration test summaries, and subprocessors are available to customers under appropriate confidentiality during procurement and renewal.

Data in transit between clients and our services is protected using industry-standard transport layer security (TLS), with configurations reviewed to deprecate weak ciphers. Data at rest is encrypted using AES-256 or stronger equivalents on storage layers under our control, including databases, object storage, and backups, except where legacy edge cases are documented with compensating controls and remediation timelines.

Cryptographic keys are managed through cloud provider key management services or hardware security modules where available, with segregation of duties for administrative access.

Access to production systems and customer data by Fastclinic personnel follows least privilege and need-to-know principles. We enforce multi-factor authentication for administrative consoles, single sign-on where integrated, and role-based access control within applications. Privileged access is time-bound, logged, and periodically reviewed.

Customers configure their own user roles and permissions within the platform; we provide templates aligned with common clinical and administrative segregation patterns.

We generate security-relevant logs for authentication events, administrative changes, data exports where enabled, and critical configuration updates. Logs are retained for periods consistent with security investigation needs, contractual requirements, and NDPA 2023 storage limitation principles. Automated monitoring and alerting help detect anomalous patterns indicative of misuse or attack.

Customers may access audit trails through product interfaces or API exports subject to their subscription tier, supporting their own compliance programmes.

Production workloads run on reputable cloud infrastructure with redundancy across availability zones where architected, automated scaling, and documented disaster recovery procedures. Backups are encrypted, tested on a defined cadence, and stored separately from primary systems to mitigate ransomware and accidental deletion risks.

Network segmentation limits lateral movement; firewalls and web application protections are deployed at perimeter and application layers as appropriate.

We maintain an incident response plan covering detection, containment, eradication, recovery, and post-incident review. Security incidents involving personal data are assessed for notification obligations under NDPA 2023 and contractual duties to customers; we will coordinate with affected controllers (customers) where we act as processor.

Report suspected incidents to contact@fastclinic.xyzwith subject "Security Incident" and include available timestamps, identifiers, and indicators of compromise.

We perform regular vulnerability scanning, dependency review, and patch management. Critical security patches are prioritised according to severity, exploitability, and exposure. We operate a coordinated disclosure process for external researchers and customers who identify vulnerabilities in our products.

Application security practices include secure development training, code review, static analysis, and periodic penetration testing by qualified independent testers.

Subprocessors with access to personal data or material security functions undergo security and privacy due diligence, including review of SOC 2 reports, ISO certifications, or equivalent evidence where available. Contracts impose confidentiality, breach notification, and assistance obligations consistent with NDPA 2023 and our data processing agreement template.

We pursue independent assurance appropriate to our market, which may include SOC 2 Type II reports, ISO/IEC 27001 certification, or mapped control attestations. Availability of specific reports is limited to customers under NDA and may be updated as our programme matures. Mention of a framework does not imply certification in all domains until expressly stated in writing.

As a Nigerian company incorporated under the Companies and Allied Matters Act 2020 (CAMA 2020), we maintain corporate records and governance practices required for regulatory and contractual transparency.

Security is shared: you are responsible for user provisioning and deprovisioning, password policies, endpoint security on devices used to access the Services, secure API key storage, and configuration of integrations. Misconfiguration or compromised customer credentials remain leading causes of unauthorised access; we strongly recommend multi-factor authentication for all administrative accounts.