Security & Data Protection
Built for special-category health data from day one.
Consent first
Explicit patient consent is required before any consultation is analysed. Consent is captured before the patient arrives via a secure link, and recorded in an immutable audit log.
Encryption
All data is encrypted in transit and at rest. Consultation audio is stored in encrypted, clinic-isolated storage.
Tenant isolation
Every clinic's data is strictly segregated with row-level security, enforced server-side and covered by automated regression tests.
No human at Altora reads your consultations
Our systems — including our own internal admin tools — are structurally prevented from accessing patient identity, transcripts, or clinical content. Admin access is limited to business metadata only, and every access is logged.
Role-based access
Practitioners, reception and managers each see only role-appropriate data, enforced at the database layer.
Retention & deletion
Configurable retention policies per clinic, complete deletion including audio, and deletion events are logged.
Audit logging
Append-only logs of system and administrative actions.
Subprocessors
We use AssemblyAI (transcription), Anthropic (analysis), Supabase (database and storage) and Vercel (hosting). Data processing agreements and international transfer safeguards are managed with each.