Security & Compliance

Enterprise-grade security built for healthcare data.

Your patients’ data deserves the highest level of protection. NOXV is built from the ground up with security-first architecture.

Security Pillars

Four foundational layers that protect every byte of patient data.

End-to-End Encryption

TLS 1.2+ in transit, AES-256 at rest, AES-256-GCM for OAuth tokens (12-byte IV, 16-byte auth tag). scrypt for passwords (16-byte salt, 64-byte key, timing-safe comparison). Zero plaintext storage of sensitive data.

Access Control

RBAC with Organization Owner and Tenant Admin roles. Four-layer NestJS guards: AuthGuard, RolesGuard, TenantAccessGuard, OwnerOnlyGuard. External IdP support (OAuth2/OIDC). API key auth with prefix-based identification, expiration, and revocation.

Audit Logging

Every data access, creation, update, and deletion recorded with actor identity, timestamp, IP, and full change diff. LLM audit trail: model, token count, latency, cost, request hash. Event-loop lag monitoring.

Data Residency

Deployable in KSA/GCC cloud regions. Data localization option available. Full documentation of all data flow paths.

Regulatory Compliance

Built to meet the strictest healthcare data protection standards.

Saudi PDPL

Aligned with PDPL enforced by SDAIA. Data subject rights: access, rectification, erasure, restriction, portability, and withdraw consent. 30-day response time.

NCA Cybersecurity Controls

Platform follows NCA Essential Cybersecurity Controls (ECC) guidelines for comprehensive security posture.

Data Processing Agreements

Comprehensive DPA for every client. Sub-processor list with purposes and locations. 48-hour breach notification. Annual audit rights.

AI Data Protection

OpenAI Enterprise API: no training on customer data. Structured output validation via Zod schema. Prompt injection protection. Content filtering. Token auditing. Model pinning.

Infrastructure Security

Multi-Tenant Isolation

tenantId foreign key on all tables. Pre-built row-level security (RLS). No cross-tenant access at API or database level.

Rate Limiting & DDoS Protection

Redis-backed sliding window: 10 req/5s per session, 100 req/60s per tenant. Fail-open if Redis unavailable to maintain availability.

Resilience & Recovery

Circuit breaker for Google Calendar (5 failures, 30s cooldown, half-open test). Async persistence queue (Redis) with DLQ. Daily full backups (30 days), 6h incremental (7 days), continuous PITR (7 days).

Input Validation & Content Safety

NestJS ValidationPipe with whitelist mode. Content safety filter (Arabic + English). 500-char message limit. Parameterized queries (Prisma ORM). No user-generated HTML.

Security Resources

Data Processing Agreement Service Level Agreement Privacy Policy

Have security questions?

Our team is ready to discuss your specific security and compliance requirements.

Contact Security Team