End-to-end encryption
- ✓AES-256 for all data at rest
- ✓TLS 1.3 minimum for all communications
- ✓End-to-end encrypted patient-doctor messaging
- ✓Keys rotated automatically (every 90 days)
Trust & transparency
Your health, well guarded
Sahha handles some of the most sensitive health data. Here is how we protect it: end-to-end encryption, local hosting, CNDP/GDPR compliance, and responsible vulnerability disclosure.
Our 6 security pillars
100% Morocco hosting
- ✓Hetzner servers in Helsinki & Falkenstein (EU)
- ✓Mirror replicas in Morocco for sensitive data
- ✓No transfer outside the EU without explicit consent
- ✓Cloudflare CDN for static content only
Legal compliance
- ✓Law 09-08 (CNDP Morocco) — Filing No. XXXX
- ✓GDPR for MRE and European patients
- ✓Medical code of conduct (ONMP)
- ✓Law 31-13 — right of access to information
Access controls
- ✓Two-factor authentication (2FA) mandatory for doctors
- ✓JWT sessions with automatic rotation
- ✓Audit logs of all access to records
- ✓Automatic logout after 30 min of inactivity
Continuous testing & audits
- ✓Weekly vulnerability scan (Snyk)
- ✓Bi-annual external pentests
- ✓Informal bug bounty — CVE rewards
- ✓Mandatory code review on sensitive changes
Patient privacy
- ✓No data resale (AivenMedia model = contextual ads)
- ✓No behavioural profiling based on conditions
- ✓Full data export (GDPR portability)
- ✓Right to be forgotten — full deletion on request
🐛
Found a vulnerability?
We value security researchers. If you discover a flaw, please report it via [email protected].
⏱️ Reply within 48h
Working-hours acknowledgement guaranteed
🎁 Bug bounty
Rewards for critical vulnerabilities
📅 90-day disclosure
Responsible Disclosure standard
/.well-known/security.txt (RFC 9116)
Policies & legal documents
All systems operational