← Back to Legal

Data Security Practices

Effective Date: January 8, 2026 | Last Updated: January 8, 2026

Your Data Security is Our Priority

We understand that health data is among the most sensitive information you can share. That's why we've implemented industry-leading security measures to protect your data at every step.

256-bit Encryption

All data encrypted in transit and at rest

Secure Infrastructure

Enterprise-grade cloud security

Access Controls

Strict role-based access management

1. Data Encryption

1.1 Encryption in Transit

All data transmitted between your device and our servers is protected using:

  • TLS 1.3 (Transport Layer Security) encryption
  • 256-bit AES encryption for all connections
  • HTTPS enforced across all web pages and APIs
  • Certificate pinning for mobile applications

1.2 Encryption at Rest

Your data is encrypted when stored in our databases:

  • AES-256 encryption for all stored data
  • Encrypted database backups
  • Secure key management with regular rotation
  • Separate encryption keys for different data categories

2. Infrastructure Security

2.1 Cloud Infrastructure

Our services are hosted on enterprise-grade cloud infrastructure with:

  • SOC 2 Type II certified data centers
  • Redundant systems and automatic failover
  • Geographic distribution for reliability
  • 24/7 infrastructure monitoring
  • Regular security audits and penetration testing

2.2 Network Security

  • Web Application Firewall (WAF) protection
  • DDoS mitigation and protection
  • Intrusion detection and prevention systems
  • Network segmentation and isolation
  • Regular vulnerability scanning

3. Access Control

3.1 User Authentication

  • Secure authentication powered by Clerk
  • Multi-factor authentication (MFA) available
  • Secure password requirements enforced
  • Session management with automatic timeouts
  • Suspicious login detection and alerts

3.2 Internal Access Controls

Access to your data by Mochi Health employees is strictly controlled:

  • Role-based access control (RBAC) for all systems
  • Principle of least privilege enforced
  • All access logged and auditable
  • Regular access reviews and recertification
  • Background checks for employees with data access

🔒 Limited Access

Only authorized personnel with a legitimate business need can access your health data, and all access is logged and monitored.

4. Data Protection Measures

4.1 Data Minimization

  • We only collect data necessary for our services
  • Sensitive data is pseudonymized where possible
  • Personal identifiers are separated from health data
  • Regular data retention reviews and cleanup

4.2 Data Backup

  • Automated daily backups of all data
  • Encrypted backup storage
  • Geographically distributed backup locations
  • Regular backup restoration testing
  • Point-in-time recovery capabilities

5. Compliance and Standards

5.1 Philippine Compliance

  • Data Privacy Act of 2012 (Republic Act No. 10173) compliant
  • Registered with the National Privacy Commission (NPC)
  • Appointed Data Protection Officer (DPO)
  • Regular compliance assessments

5.2 Industry Standards

  • Aligned with HIPAA security principles
  • ISO 27001 security framework implementation
  • OWASP security best practices
  • Regular third-party security assessments

6. Security Operations

6.1 Monitoring

  • 24/7 security monitoring and alerting
  • Real-time threat detection
  • Anomaly detection for unusual patterns
  • Security Information and Event Management (SIEM)

6.2 Incident Response

  • Documented incident response procedures
  • Dedicated security incident response team
  • Regular incident response drills
  • Breach notification procedures compliant with regulations

6.3 Vulnerability Management

  • Regular vulnerability scanning (weekly)
  • Annual penetration testing by third parties
  • Responsible disclosure program
  • Timely patching and updates

7. Third-Party Security

We carefully vet all third-party service providers:

  • Security assessments before onboarding
  • Data Processing Agreements (DPAs) in place
  • Regular security reviews of vendors
  • Minimum security standards required

Key Service Providers

  • Authentication: Clerk (SOC 2 certified)
  • Payments: Stripe (PCI-DSS Level 1 certified)
  • Database: Neon (SOC 2 certified)
  • Hosting: Vercel (SOC 2 certified)

8. Your Role in Security

Security is a shared responsibility. You can help protect your account by:

  • Using a strong, unique password for your account
  • Enabling multi-factor authentication (MFA)
  • Keeping your email account secure
  • Not sharing your login credentials with others
  • Logging out from shared devices
  • Reporting any suspicious activity to us immediately

9. Security Updates

We continuously improve our security posture:

  • Regular security training for all employees
  • Ongoing evaluation of new security technologies
  • Updates to this document as practices evolve
  • Proactive adoption of security best practices

10. Contact Us

For security concerns or questions about our practices:

Mochi Health

Security & Legal: legal@fluent.ph

Privacy: privacy@fluent.ph

Website: fluent.ph

← Privacy PolicyAll Legal Documents →