Security & compliance
Patients trust your hospital with their lives. Your hospital can trust ACOS with that trust.
Patient data is sacred. We treat it that way.
What follows is what we actually do today and what's on the roadmap — for the IT lead, the compliance officer, and the hospital owner who needs to know. We're upfront about what's operational versus what's coming, and we don't claim certifications or capabilities that aren't real yet.
Data isolation
Your hospital's data is yours alone.
Every read and write that touches your data is automatically scoped to your hospital — at the application boundary, before queries reach the database. We're adding deeper enforcement layers underneath; the application boundary has carried the load since the first deployment.
Tenant boundaries
Tenant-scoping enforced at the framework layer
Cross-tenant queries can't be written by accident — the framework refuses them. Every record carries a tenant key; every request runs in a tenant context. This has been the core isolation mechanism since the first deployment.
Defense in depth
Adding database-layer enforcement
We're rolling out a second isolation boundary at the database layer, so even an internal misuse path can't return another hospital's data. Engineering is in progress across the schema.
Your data does not train our models
No cross-tenant analytics or model training
ACOS uses AI for clinical decision support and documentation. We do not train models on your patient data. Third-party models we use are configured for zero retention of prompts and completions.
Production access is limited
Engineering access is restricted and logged
Production data access by ACOS staff is restricted to a small named team, used only for incident response or explicit support requests, and logged. Logs are reviewable by your hospital on request.
Access control
Each person sees what they need. Nothing more.
Doctors see clinical data. Cashiers see billing. Pharmacists see prescriptions. Roles defined per hospital, granular to individual permissions.
Multi-site hospitals can scope access to a specific unit or branch — staff at one location don't see records from another unless explicitly granted.
Industry-standard session controls: secure HTTP-only cookies, automatic timeout after idle, rotating session tokens. No session data exposed to client storage.
Configurable per hospital. Minimum length and complexity rules enforced at sign-in. Failed attempts are rate-limited and logged.
Administrative actions — role changes, permission grants, user creation, data exports — are logged separately and reviewable by hospital administrators.
Disable a staff account from a single screen; active sessions terminate within minutes. The audit trail preserves their historical actions.
Unusual access patterns — a clinician viewing hundreds of records they don't normally see — surface for administrator review.
Encryption & data handling
In transit. At rest. By default.
In transit
Encrypted on every connection
All traffic to and from ACOS runs over TLS — clinician laptops, lab integrations, payment processors, partner systems. No plain-HTTP fallback, anywhere.
At rest
Encrypted at the storage layer
Database, file storage, and backups are encrypted at rest using cloud-managed encryption. Encryption keys are managed by AWS KMS and never accessible in plaintext to ACOS staff.
Hosting
AWS, with regional options
ACOS runs on AWS. Hospitals with data residency requirements can request a specific region. Hosting inherits AWS's security certifications, including HIPAA-eligible services.
Backups
Automated, encrypted, geographically separated
Database backups run automatically with point-in-time recovery for recent activity and longer-retention snapshots for compliance. Backups are encrypted and stored in a separate region.
Audit and accountability
Every change logged. Every record reviewable.
Healthcare runs on accountability. Who changed what charge. Who logged in from where. Who modified which clinical record. ACOS records this for your administrators, your compliance team, and any regulator who asks.
Every create, update, and delete is logged with user, timestamp, and the change captured. Logging is built in across modules so a workaround in one corner of the app doesn't bypass it.
Sign-ins, sign-outs, session timeouts, failed attempts, and password resets — recorded with user, timestamp, and source IP.
Audit data is exportable in standard formats for inspection by the Ministry of Health, Ghana Health Service, or contracted compliance bodies.
Hospital administrators can review recent privileged actions, sign-in patterns, and data exports from a built-in dashboard.
Patients (or their authorised representatives) can request a list of every staff member who accessed their record, with timestamps.
Compliance
Where we are. Where we're going.
We're transparent about what's in place today and what's on the roadmap. We don't list certifications we don't have.
Ghana Data Protection Act (Act 843)
ACOS operates in alignment with Ghana's Data Protection Act. Patient data rights — access, correction, deletion — are supported through hospital administrators. Breach notification follows the 72-hour disclosure requirement.
HIPAA-style controls
Underlying AWS services are HIPAA-eligible. We follow HIPAA-style administrative, physical, and technical safeguards as a security baseline, even though HIPAA itself is U.S. regulation.
ICD-10 coding
ICD-10 diagnosis and procedure codes are supported across clinical documentation, including IPD discharge summaries.
HL7 v2, FHIR R4, LOINC, SNOMED CT
Deeper interoperability standards are sequenced into the integration roadmap. Available today through targeted integrations on a per-hospital basis.
ISO 27001
ISO 27001 certification is on our roadmap as we scale. We're applying its information security management framework today as our internal baseline.
Incident response
When something goes wrong, you'll be the first to know.
The honest answer to 'what happens during a security incident' is the difference between a vendor and a partner.
Detection
24/7 monitoring across infrastructure
Automated alerting on infrastructure anomalies, failed authentication patterns, and unusual data access. On-call engineer paged for incidents that meet defined severity thresholds.
Notification
72-hour direct disclosure
If an incident affects your hospital's data, you hear from us directly — by phone and in writing — within 72 hours of confirmation, in line with the Ghana Data Protection Act.
Response
Coordinated remediation with your team
We work alongside your IT lead through containment and remediation. Affected systems are taken offline if needed; restoration is logged and verified before service resumes.
Review
Post-incident review shared with you
After resolution, we share a written review of what happened, what we changed, and what we'd do differently. Sent to affected hospitals — not buried.
For procurement teams
Documentation we provide on request.
If you're working through a vendor security review, the following are available on request — typically within five business days, faster for active sales conversations.
- Architecture overview and data flow diagram
- Custom security questionnaire response (we fill yours in)
- Penetration test summary (annual third-party test)
- Sub-processor list
- Tenant data processing agreement (DPA)
- Encryption and key management summary
- Access control and audit overview
We're a maturing company on a clear path: formal disaster recovery and business continuity plans and ISO 27001 certification are sequenced into our roadmap as we scale. We'd rather tell you what we have than promise what we don't. Request the security documentation pack
The ask
Have a security review to run? We'll fill it in.
Send us your questionnaire — SIG, CAIQ, custom, doesn't matter. We respond within five business days. Or book a call to walk through the specifics for your facility.