Core Priority

Security and responsibility built into every layer.

We protect sensitive health data through institutional-grade security protocols, comprehensive auditing, a compliance-first architecture, and full alignment with Cameroon law and international digital health standards.

End-to-End Encryption

All patient data is encrypted both at rest and in transit using industry-standard AES-256 and TLS 1.3 protocols.

Comprehensive Auditing

Every single access request, data exchange, and consent change is recorded in an immutable audit log, viewable by patients and facility admins.

Consent-Based Access

Access to sensitive clinical information is strictly controlled by patient consent, except in verified and audited emergency scenarios.

Compliance First

Designed to align with global health data protection standards (GDPR, HIPAA principles) and local Cameroonian regulations.

Infrastructure Integrity

Our platform is hosted in secure, highly-available data centres with 24/7 monitoring and automated threat detection.

Regular penetration testing and vulnerability scanning
Zero-trust network architecture — no implicit trust
Multi-factor authentication (MFA) enforced for all staff
Automatic failover and high-availability deployment
Immutable audit logs — cannot be altered after creation

Technical security controls

A layered security model protects patient data at every stage of processing and transmission.

AES-256 Encryption at Rest

All stored patient data, audit logs, and access tokens are encrypted using AES-256.

TLS 1.3 in Transit

All API communications are encrypted using TLS 1.3. Older protocol versions are rejected.

OAuth 2.0 with Short-Lived Tokens

API access tokens expire quickly. Refresh tokens are rotated on use.

Biometric OTP Support

Patient portal supports TOTP-based 2FA as an additional authentication layer.

OWASP Top 10 Mitigations

The platform is developed with OWASP Top 10 mitigations applied at every endpoint.

Immutable Audit Logs

Every access event is written to an append-only audit store and cannot be modified.

Regulatory and Standards Compliance

OpesCare is designed to meet and exceed the requirements of Cameroon law and international digital health frameworks.

Cameroon Law No. 2010/012

Cybersecurity and Personal Data Protection Act — governs lawful processing, consent requirements, data subject rights, and breach notification obligations.

MINSANTE Digital Health Strategy 2026–2030

National roadmap for Cameroon health digitalization, EHR interoperability, and telemedicine. OpesCare is architected to serve as an interoperability backbone.

WHO Global Strategy on Digital Health 2020–2025

World Health Organization international framework for patient-centred digital health, data governance, and health system interoperability.

HL7 FHIR R4

Fast Healthcare Interoperability Resources version 4 — the global standard for structured health data exchange, used for all OpesCare API health record payloads.

African Union Malabo Convention

African regional data protection framework setting minimum standards for personal data processing and cross-border data transfers within Africa.

ISO/IEC 27001 Principles

Information security management principles applied to infrastructure, access control, and incident response throughout the OpesCare platform.

Data Breach Response Protocol

We maintain a documented incident response plan consistent with Cameroon Law No. 2010/012 and WHO health data governance standards.

0–1 h

Detection & Containment

Automated monitoring systems detect and flag anomalous access events. On-call security team is immediately alerted to contain the incident.

1–24 h

Internal Assessment

Security team assesses the scope, affected data categories, and number of data subjects. Clinical impact assessment is initiated.

24–72 h

Regulatory Notification

ANTIC (Cameroon cybersecurity authority) and, where relevant, MINSANTE are notified within 72 hours of confirmed breach, as required by law.

≤ 72 h

Patient Notification

Affected patients are notified directly via their registered contact with clear information about what data was involved, what we are doing, and what steps they can take.

Post-event

Review & Remediation

Full post-incident review is conducted. Technical and procedural improvements are implemented and documented.

Responsible Disclosure

If you believe you have found a security vulnerability in the OpesCare platform, please contact our security team directly. We commit to acknowledging receipt within 48 hours and providing a timeline for resolution. We do not pursue legal action against researchers who report in good faith.

Report a Vulnerability Privacy Policy