Back to Blog

Security Architecture: DPDP & HIPAA Compliance

SynapseAI Security Team

Protecting mental health data is an absolute operational requirement for clinical practice. The enactment of India's Digital Personal Data Protection (DPDP) Act of 2023 fundamentally alters how personal health data is processed. Patient transcripts, handwritten notes, and medical histories are classified as "unequivocally high-risk"—meaning mishandling data carries severe consequences, including fines scaling up to ₹250 crore.

SynapseAI is engineered to exceed these compliance standards, ensuring psychiatrists can implement AI-assisted documentation without compromising patient confidentiality.

Regulatory Fundamentals: DPDP Act & HIPAA

Operating at the intersection of psychology and technology requires navigating rigid legal frameworks designed to protect personal data processing.

DPDP Act (India): The DPDP Act functions on a clear "Data Fiduciary" and "Data Principal" relationship. It mandates that any personal data processing must be bound by clear, specific, and revocable consent. Additionally, it imposes strict requirements on data minimization—collecting only what is strictly necessary—and purpose limitation, meaning data collected for clinical charting cannot be repurposed for marketing or model training.

HIPAA (United States): While based in India, adhering to the US Health Insurance Portability and Accountability Act (HIPAA) establishes a gold standard for digital health platforms globally. HIPAA's Security Rule requires specific administrative, physical, and technical safeguards. This includes robust Access Controls, Entity Authentication, and Audit Controls to track every individual who accesses Protected Health Information (PHI). We leverage these global standards to reinforce our local DPDP compliance.

End-to-End Encryption Standards

Our infrastructure relies on defense-in-depth engineering principles:

  1. Data at Rest: All digitized clinical notes and patient identifiers are encrypted via AES-256 at the PostgreSQL database level natively within Supabase.
  2. Data in Transit: Connections between the Synapse web portal and our backend servers require strict TLS 1.3 encryption, ensuring no interception can occur during data uploads.
  3. Zero-Retention Processing: The Synapse web portal captures photos of handwritten session notes and transmits them to enterprise-tier Google Vertex AI. Vertex AI performs secure Vision-to-Text extraction to structure the data. Handwritten artifacts and generated summaries are strictly isolated; they are never stored persistently on the physical device, and they are never utilized to train public foundation models—ensuring zero data leakage during inference.

Explicit Consent Frameworks

The DPDP Act explicitly outlaws broad, blanket consent models for sensitive health data. Data Fiduciaries must obtain specific, informed, and revocable consent. SynapseAI automates purpose-specific consent acquisition prior to consultation.

Before the consultation begins, the platform prompts the patient (typically via a verifiable WhatsApp OTP flow or an in-clinic terminal) to grant explicit consent strictly intended for "clinical documentation generation" via optical character recognition of notes. This establishes an immutable audit trail, maintaining compliance with the requirement that consent be specific and documented.

References

  1. The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023). MeitY PDF.
  2. Health Insurance Portability and Accountability Act of 1996 (HIPAA). U.S. Department of Health & Human Services. Summary of the HIPAA Security Rule.
  3. Advanced Encryption Standard (AES). National Institute of Standards and Technology (NIST) FIPS PUB 197. NIST Publication.
  4. Supabase Compliance Certifications. SOC2 Type II and HIPAA. Supabase Trust Center.