Data Protection
Data Backup Policy
How MedFind protects, backs up, and recovers your medical data. Our commitment to data availability and security.
⏰
Every 6h
Automated Backups
🔐
AES-256
Backup Encryption
📍
3 Sites
Geographic Redundancy
⚡
< 4 Hours
Recovery Time Objective
Backup Overview
MedFind maintains comprehensive automated backup systems to protect all user data, including medical records, appointment history, and account information. Our backup strategy follows the 3-2-1 rule: 3 copies, on 2 different media types, with 1 offsite copy.
Backup Schedule
Real-Time Transaction Logs
Every database write operation is logged to a redundant transaction log in real time. This captures every change the moment it happens.
Retention: 30 days | Type: PostgreSQL WAL + MongoDB Oplog
Incremental Backups
Changed data since the last backup is captured every 6 hours. This minimizes data loss to a maximum of 6 hours in a worst-case scenario.
Retention: 14 days | Schedule: 00:00, 06:00, 12:00, 18:00 BST
Full Daily Backups
Complete snapshot of all databases, user files, and configuration. Includes PostgreSQL, MongoDB, Redis snapshots, and all uploaded medical files.
Retention: 30 days | Schedule: 02:00 BST daily
Weekly Consolidated Backups
Weekly full backup exported to cold storage. These are the primary backups used for long-term data retention and compliance.
Retention: 1 year | Schedule: Sunday 03:00 BST
Monthly Compliance Archives
Complete monthly archive to comply with Bangladesh healthcare data retention regulations. Medical records are retained for 10 years minimum.
Retention: 10 years (medical) / 7 years (financial) | Encrypted cold storage
Storage Locations
- Primary: AWS ap-southeast-1 (Singapore) — Live database servers
- Secondary: AWS ap-south-1 (Mumbai) — Hot standby with <5 minute replication lag
- Tertiary: AWS S3 Glacier (Bangladesh-compliant region) — Cold storage archives
- Local: On-premise encrypted drives at Dhaka data center for critical medical records
Data Sovereignty Note: Patient medical records are stored in compliance with Bangladesh ICT Act 2006 and Digital Security Act 2018. Sensitive health data is replicated only to servers that meet Bangladesh data protection requirements.
Backup Security
- All backups are encrypted using AES-256 before being written to storage
- Encryption keys are managed using AWS KMS with hardware security modules (HSM)
- Backup access requires multi-factor authentication and is logged to immutable audit trails
- Backup integrity is verified automatically with cryptographic checksums after every backup
- Restore tests are performed monthly to verify backup integrity and recovery procedures
- Backup storage locations are separate from production systems to prevent ransomware propagation
Recovery Objectives
1 Hour
Recovery Point Objective (RPO)
Maximum data loss
4 Hours
Recovery Time Objective (RTO)
Maximum downtime
In the event of a catastrophic failure, we can restore all data to within 1 hour of the failure with full service restoration within 4 hours.
Your Data Export Rights
As a MedFind user, you have the right to request a full export of your personal data at any time:
- Request via: Account Settings > Privacy > Export My Data
- Or email: medfindbd2026@gmail.com with subject "Data Export Request"
- Delivery: Your data will be provided within 14 business days in JSON and PDF format
- Includes: All appointments, medical records, prescriptions, payment history, and account data
- Free of charge: Data exports are provided at no cost
Disaster Recovery Plan
MedFind maintains a formal Disaster Recovery Plan (DRP) that covers:
- Detection (0-15 min): Automated monitoring alerts trigger within minutes of system failure
- Assessment (15-30 min): On-call engineers assess scope and severity
- Failover (30-60 min): Automatic or manual failover to secondary region
- Recovery (1-4 hours): Full restoration from backup with data integrity verification
- Communication: Registered users notified via SMS/email within 2 hours of incident
- Post-Incident Review: Full root cause analysis and remediation within 7 days
Breach Notification
In the event of a data breach affecting personal or medical data:
- Affected users will be notified within 72 hours of breach discovery
- Notification will include: what data was affected, steps taken, and recommended user actions
- Bangladesh Computer Council (BCC) and relevant authorities will be notified as required by law
- Forensic investigation will be conducted and a report provided to affected users
Data backup policy last reviewed: April 2026. For questions: medfindbd2026@gmail.com