Security & trust
How Miruwa protects patient data, in plain language. Questions we haven't answered here: ask us directly.
One hospital, one instance
Every production hospital runs its own dedicated Miruwa instance — its own database, its own application deployment, its own WhatsApp number. Your patients' data never shares infrastructure with another organization. Not "logically separated" — physically separate.
Access control
Staff accounts are provisioned by your administrator — there is no public signup. Two roles (administrator and nurse), and every page and API call re-checks the session on the server.
Encryption
TLS 1.2+ in transit. AES-256 at rest in the managed Postgres database. Service credentials never reach the browser.
Append-only audit trail
Every access and action is recorded and attributed to the signed-in user — exportable for internal review.
Deterministic by design
Escalation severity is decided by explainable, versioned rules — never by an AI model. AI is used only to structure language (transcription, wording), never to judge clinical risk.
Data residency
Each dedicated instance is provisioned in your preferred cloud region — for Hong Kong deployments, typically Singapore. (Our public demo runs in the US; production instances are placed where you need them.)
Backups & recovery
Daily automated backups are standard; point-in-time recovery is available on enterprise instances.
Certifications — honest status
Miruwa is not yet SOC 2 or ISO 27001 certified. We are early, and we won't pretend otherwise. Our roadmap: SOC 2 Type I, then Type II. We will share our security questionnaire answers and architecture documentation with any evaluating hospital.
Vulnerability reporting
Report security issues privately to the team — never through public issue trackers, and never with real patient data in the report.
Evaluating Miruwa for your hospital?
We'll walk your IT and data-protection teams through everything.