Data Privacy & Security Policy

Effective Date: October 2024 | Version 2.1

1. Strict Adherence to Health Data Regulations

Sauti Care ("we", "our", "us") treats clinical and patient data with the highest degree of confidentiality and technical rigor. As an operator within the healthcare sector, our protocols are strictly aligned with the Kenya Data Protection Act of 2019, specifically concerning the processing of sensitive personal health data, and international best practices (such as HIPAA and GDPR frameworks).

2. Categories of Protected Health Information (PHI) Processed

Our platform operates as a Clinical Decision Support System (CDSS) and processes data strictly on behalf of our partner healthcare facilities (Data Controllers) as a Data Processor. The data encompasses:

  • Biometric Audio Streams: Temporary cache of vocal inputs utilized exclusively for real-time transcription and Natural Language Understanding (NLU). Audio files are actively destroyed post-processing unless explicit patient-provider consent is obtained for model continuous learning.
  • Structured Clinical Data: Vital signs, diagnostic codes (ICD-10/11), and triage (ESI) statuses generated during clinical encounters.
  • Medical Imaging: Radiological scans processed by our computer vision pipelines. These scans undergo strict de-identification (DICOM anonymization) before transit to cloud environments.
  • System Telemetry & Audit Trails: Immutable logs of user access and system events required for algorithmic auditing and forensic security analysis.

3. Data Residency and Cryptographic Controls

Data sovereignty is paramount. All identifiable Personal Health Information (PHI) resides within physically secured edge nodes located at partner facilities or within cloud zones geographically restricted to Kenya, fulfilling data localization mandates. We enforce AES-256 encryption for data at rest and TLS 1.3 for data in transit. We unequivocally prohibit the sale, unauthorized sharing, or commercial exploitation of any patient data.

4. Research Integrity and Model Governance

Sauti Care participates in global health research alongside academic partners such as King's College London. Any datasets exported for academic or algorithmic enhancement are heavily subjected to k-anonymity and l-diversity transformations. Our Institutional Review Board (IRB) framework ensures that research objectives never supersede individual privacy rights.

5. Governance and Data Protection Officer (DPO)

Sauti Care maintains an active compliance program. For inquiries regarding data subject access requests, breach notifications, or generalized privacy concerns, please engage our Data Protection Officer formally at legal@sauticare.com or privacy@sauticare.com.