Ecolozical / Compliance & Trust
Compliance & Trust

Designed for India's
regulatory foundation
as our first market.

Healthcare data is among the most sensitive data a person owns. Compliance is not a marketing layer for us — it is encoded into the architecture, audited continuously, and surfaced transparently below. As we expand into new markets, our compliance posture will extend accordingly.

01 — Frameworks

Every framework that matters in our launch market.

Eight regulatory and accreditation bodies cover the operational surface of Indian healthcare. Zeeva is built to satisfy all of them — at the architecture layer, not the policy layer. As we enter new markets, we'll surface the equivalent local frameworks here.

ABDM
Ayushman Bharat Digital Mission
National Health Authority · Govt. of India

Full ABDM gateway certification. Health ID (ABHA), Health Locker, HIE-CM (Consent Manager), HFR (Facility Registry), and HPR (Healthcare Professional Registry) endpoints — all certified in Sandbox and Production.

Certified · Production
DPDP
Digital Personal Data Protection Act
Ministry of Electronics & IT · 2023

Designated Data Fiduciary architecture. Consent-first data flows, granular per-record permissions, breach notification within 72 hours, full data principal rights surface — access, correction, erasure, portability.

Compliant by default
IT
Information Technology Act
Government of India · 2000 (as amended)

Section 43A reasonable security practices. SPDI Rules 2011 compliance for sensitive personal data. Section 79 intermediary safe-harbour processes for grievance officer designation and content takedown.

Compliant
NMC
National Medical Commission
Statutory · Govt. of India

Every clinician on the platform is verified against the NMC and state-council registries before activation. Telemedicine practice guidelines (2020) enforced for remote consultations. CME tracking integrated.

Live verification
NABH
NABL
Hospital & Lab Accreditation
QCI · Quality Council of India

NABH (hospitals) and NABL (laboratories) accreditation status surfaced on every facility profile. Patients can filter for accredited care. Audit trails maintained for every clinical and laboratory transaction.

Verified surfacing
IRDAI
Insurance Regulatory Authority
Govt. of India

All insurer and TPA partners on the platform are IRDAI-registered. Claims processing follows IRDAI Health Insurance Regulations 2016 and the Health Claims Exchange (HCX) standards published by NHA.

Registered partners only
AERB
Atomic Energy Regulatory Board
DAE · Govt. of India

AERB approval status verified for all imaging diagnostic centres operating CT, PET-CT, gamma camera, and other regulated equipment. Compliance status surfaced to patients booking imaging appointments.

Verified surfacing
CDSCO
Central Drugs Standard Control
Ministry of Health · Govt. of India

Drug License (Form 20/21) verification for all pharmacies. Schedule H/H1/X enforcement at the e-prescription layer. Cold-chain monitoring hooks for distributors handling regulated biologics and vaccines.

License verified
02 — Data Residency

Indian patient data. Indian soil. By design.

For our India launch market, every byte of identifiable patient health data lives within Indian borders. Two regions for resilience. No cross-border processing of PHI. No shadow copies. As we expand into new markets, the same residency-by-region principle applies.

Architecture

Two regions, both within India.

  • Primary region — production workloads, real-time processing, primary database cluster within India.
  • Replication region — synchronous replication, disaster recovery, automated failover, also within India.
  • Daily encrypted backups retained for 35 days, archived backups for 7 years per ABDM retention guidance.
  • Zero cross-border egress of identifiable patient data. No third-party SaaS that processes PHI outside India.
  • Cryptographic isolation between data fiduciaries — multi-tenant, zero-knowledge separation.

Aligned with DPDP Act 2023 §16 and the National Health Authority's Health Data Management Policy. Specific data-centre locations are disclosed under NDA to enterprise partners during procurement review.

Region A PRIMARY Region B REPLICA INDIA · LAUNCH MARKET
03 — Security Posture

Defense in depth.

Layered security controls covering identity, network, application, data-at-rest, data-in-transit, and operational practices. Audited annually and continuously monitored.

🔐
Encryption — at rest & in transit
AES-256 for data at rest. TLS 1.3 for transit. Per-tenant key isolation with rotation. PHI fields field-level encrypted with envelope keys managed in HSM.
FIPS 140-2 Level 3 HSM
🆔
Identity & access
MFA mandatory for clinical staff. Role-based access with attribute-based overlays. All access logged, retained, and reviewable by the data principal under DPDP rights.
FIDO2 · WebAuthn
🛡️
Application security
OWASP ASVS Level 2 baseline. Quarterly third-party penetration testing. Bug bounty programme open to security researchers. Continuous SAST/DAST in CI.
CERT-In empanelled audits
📊
Audit & logging
Every data access, modification, and consent change is logged with immutable trail. Retained per ABDM and DPDP guidance. Patient-accessible audit log of who accessed their data.
Tamper-evident logs
⚠️
Incident response
24×7 SOC monitoring. Documented incident-response runbooks. CERT-In reporting within 6 hours, DPDP breach notification to the Data Protection Board within 72 hours.
CERT-In · Data Protection Board
🏗️
Operational controls
ISO/IEC 27001 baseline. SOC 2 Type II in progress. Background-verified personnel. Privileged access requires four-eyes approval and time-bound issuance.
ISO 27001 · SOC 2 Type II
04 — Designated Officers

A name. A face. A response within hours.

Under both the DPDP Act and IT Act, certain officer designations are mandatory. We publish them transparently. You can reach them directly, in any of three languages.

IT Act 2000 · Rule 3(11)

Grievance Officer

For grievances related to platform usage, intermediary obligations, or content. Acknowledges within 24 hours, resolves within 15 days as required by law.

EMAIL   grievance@ecolozical.com
HOURS   Mon–Fri · 09:00 — 18:00 IST
SLA     Acknowledge 24h · Resolve 15d
DPDP Act 2023 · §10

Data Protection Officer

For data principal rights — access, correction, erasure, portability, consent withdrawal. Independent reporting line to the board. Available in English, Hindi, and Telugu.

EMAIL   dpo@ecolozical.com
HOURS   Mon–Fri · 09:00 — 18:00 IST
SLA     Acknowledge 48h · Resolve 30d
05 — Policies

The full text.

Privacy Policy
How we collect, process, store, and protect personal and health data.
READ →
Terms of Service
Conditions of use for the Zeeva platform and Ecolozical services.
READ →
Cookie Policy
Cookies, local storage, and similar technologies used across our properties.
READ →
Acceptable Use Policy
Conduct expected of clinicians, facilities, partners and developers using Zeeva.
READ →
Data Processing Addendum
Processor-controller terms for partners exchanging personal data via Zeeva.
READ →
📄
Policy versions

All policies are versioned. Material changes are notified to registered users via email and dashboard banner at least 30 days before they take effect, in accordance with DPDP §6.

Trust is not a slogan we put on a marketing page. It is a property of the architecture.

Need a security review or compliance pack?

For enterprise procurement, we maintain a vendor security questionnaire library, evidence packs, audit reports, and a dedicated compliance contact. Reach out and we'll send the right document.

Request compliance pack Email DPO directly