Security Practices

FASTCLINIC LIMITED("Fastclinic") operates a security programme designed for healthcare workloads, aligned with recognised frameworks and with obligations under the Nigeria Data Protection Act 2023 ("NDPA 2023"). This document summarises the controls we rely on. It is descriptive, not a warranty; specific commitments may appear in your Order, data processing agreement, or SLA.

Detailed control matrices, current penetration-test summaries, and subprocessor inventories are available to enterprise customers under appropriate confidentiality during procurement and renewal.

FastLogin is our unified identity platform. It enforces the following controls on every account:

• Breach-password checks. Candidate passwords are checked against a large breach corpus during registration and password change; known-breached passwords are rejected at the point of entry.
• Multi-factor authentication. Every account enrols a second factor at registration: an authenticator app (TOTP) or a phishing-resistant credential (WebAuthn / passkey). Backup recovery codes are generated for fallback.
• Phishing-resistant factors for sensitive reach. Administrator accounts must hold at least two WebAuthn credentials (primary plus backup) from approved authenticator categories, with user verification on every ceremony. Healthcare professionals whose accounts can reach patient data are prompted to enrol a phishing-resistant factor before clinical scopes activate.
• SMS used for identity proofing and recovery only. One-time SMS codes confirm ownership of a phone number at registration and support account recovery. They are not a primary sign-in factor — SIM swap cannot be used to bypass your password or your phishing-resistant credentials.
• Step-up authentication for sensitive actions.Privilege changes, clinical data access, and other sensitive operations require a freshly completed strong-authentication ceremony, independent of your current session's age.

Administrator access to production systems is isolated from normal user traffic. We serve the administrator console on a separate subdomain, behind a network allowlist, using a short-lived server-side session with access tokens that never reach the browser. Administrators cannot reach production data without completing a phishing-resistant authentication ceremony; lost or compromised credentials trigger a dual-approval reset flow in which a second administrator must concur before the target account is restored.

Administrative scopes are fine-grained and least-privilege: the ability to view records, change records, approve clinical verifications, manage OAuth2 clients, and read the audit trail are all separate privileges that must be granted individually. Granting or revoking any privilege writes an entry to the tamper-evident audit log and fires an operational alert.

Data in transit between clients and our services is protected using modern transport layer security, with configurations reviewed to deprecate weak ciphers. Data at rest is encrypted using AES-256 or stronger equivalents on storage layers under our control, including databases, object storage, and backups.

Sensitive fields — including provider verification records — are additionally wrapped under an envelope encryption scheme so that database access alone does not reveal the plaintext. Cryptographic keys are managed through cloud provider key management services, with segregation of duties for administrative access and a documented rotation procedure.

Access to production systems and customer data by Fastclinic personnel follows least privilege and need-to-know principles. We enforce multi-factor authentication for every staff role with production access, single sign-on where integrated, and role-based access control within applications. Privileged access is time-bound, scoped, logged, and periodically reviewed.

Customers configure their own user roles and permissions within the platform; we provide templates aligned with common clinical and administrative segregation patterns.

We generate security-relevant logs for authentication events, privilege changes, verification decisions, data-export operations, and OAuth2 client management. Audit entries are hash-chained — each row commits the cryptographic hash of its predecessor, so any later modification or deletion of a historical row breaks the chain and is detectable at verification time. A daily root hash is published to write-once storage for long-term integrity.

The audit writer refuses to accept secret material (tokens, passwords, cryptographic keys, session identifiers); attempts to log such fields are rejected at the write layer. Access to the audit log is read-only for routine administrative roles, with schema-level enforcement preventing modification by the application itself.

Enterprise customers may access audit trails through product interfaces or API exports subject to their subscription tier, supporting their own compliance programmes.

Production workloads run on reputable cloud infrastructure with redundancy across availability zones, automated scaling, and documented disaster-recovery procedures. Backups are encrypted, tested on a defined cadence, and stored separately from primary systems to mitigate ransomware and accidental deletion risks.

Network segmentation limits lateral movement; firewalls and web application protections are deployed at perimeter and application layers. Administrator interfaces are additionally isolated on a separate hostname with restricted network access.

For accounts with clinical reach, we apply rule-based risk signals at sign-in: recognition of previously used devices, country-level changes in access, logins outside a user's typical pattern, and periods of prolonged inactivity. A sufficiently anomalous combination triggers a step-up challenge using your enrolled strong factor. These signals do not silently deny service — the user is always told what additional verification is needed.

Signals are retained for thirty (30) days in an append-only forensic store and purged automatically. Rate limiting applies to authentication endpoints and sensitive API routes. Suspected abuse is escalated for human review; administrative suspension of an account is audit-logged.

We maintain a written incident-response runbook covering detection, containment, assessment, notification, and post-incident review. Security incidents involving personal data are assessed against NDPA 2023 notification criteria; where we are the controller, we notify affected data subjects and the NDPC within the statutory seventy-two (72) hour window where required. Where we act as processor, we notify the affected controller without undue delay and in any event within the window agreed in our data processing agreement.

Report suspected incidents to contact@fastclinic.xyz with subject "Security Incident" and include available timestamps, identifiers, and indicators of compromise. We run a quarterly tabletop exercise against the runbook; lessons from each exercise are folded into the runbook and our threat model.

We perform regular vulnerability scanning, dependency review, and patch management. Critical security patches are prioritised according to severity, exploitability, and exposure. We operate a coordinated disclosure process for external researchers and customers who identify vulnerabilities in our products (see Responsible disclosure).

Application security practices include secure-development training, code review, static analysis, and independent penetration testing. A scoped external penetration test against our identity and administrator surfaces is planned, with remediation service-levels aligned to finding severity (critical: 7 days, high: 30 days, medium: 90 days).

Subprocessors with access to personal data or material security functions undergo security and privacy due diligence, including review of SOC 2 reports, ISO certifications, or equivalent evidence where available. Contracts impose confidentiality, breach-notification, and assistance obligations consistent with NDPA 2023 and our data-processing agreement template. A named list of principal subprocessors is published in our Privacy Policy; enterprise customers receive the full list and thirty (30) days' notice of material changes.

We align our programme to NDPA 2023 and track established external assurance frameworks. A SOC 2 Type II gap assessment is in progress; achieving certification is a multi-quarter programme and we will update this section when milestones are reached. Mention of a framework does not imply certification in all domains until expressly stated here in writing.

As a Nigerian company incorporated under CAMA 2020, we maintain corporate records and governance practices required for regulatory and contractual transparency. Our accounting, auditor, and director filings are lodged with the Corporate Affairs Commission as required.

Security is shared. You are responsible for user provisioning and deprovisioning, rotation of shared secrets, endpoint security on devices used to access the Services, secure API-key storage, and configuration of integrations. Misconfiguration or compromised customer credentials remain leading causes of unauthorised access; we strongly recommend enrolling a phishing-resistant factor on every administrative account and requiring it for clinical tools.

We welcome coordinated disclosure of security vulnerabilities. Report issues to contact@fastclinic.xyz with subject "Security Vulnerability." Please give us a reasonable opportunity to investigate and remediate before any public disclosure, and avoid actions that would degrade service, access data without authorisation, or violate applicable law. We will acknowledge reports, provide an initial assessment, and credit researchers on request where helpful to your work.