🛡️ Security & Trust Center

Enterprise Security Built Into Every Layer

BloomSenz protects child therapy records, assessment data, family information, sessions, payments and centre operations through enterprise-grade security, monitoring and governance.

Encryption EverywhereEnterprise AuthenticationMulti-Tenant IsolationAudit LoggingContinuous MonitoringPrivacy By Design
trust.bloomsenz.io · live
✦ Security Trust Center · today
Availability🟢
99.98%
Monitoring🔭
24×7
Zero-Trust🛡️
On
RBAC👥
Active
Encrypted Storage🔐
AES-256
Open Incidents🚨
0
Audit · last events● Live
11:42:18LoginOK
11:43:02Record Access · Aarav · child_001OK
11:44:21Therapy Plan Update · Plan-48201Warn
🏛️ Overview

Security Built For Modern Therapy Centres

Seven layers of defence — every layer is engineered with explicit controls, monitored in real time and audited end-to-end.

Users
MFASSOSessions
Applications
CSPOutput encoding
API Gateway
Rate limitSigningWAF
Authentication Layer
OAuth 2.0JWTScopes
Business Services
RBACTenant guards
Data Layer
AES-256Key rotation
Monitoring & Audit Layer
SIEMAudit logsAlerts
🛡️ Pillars

Our Security Principles

Six pillars our security program is built on — every release is reviewed against them.

🔐

Identity & Access Management

Centralised identity with OAuth 2.0, OpenID Connect, JWT, SSO, MFA and granular RBAC scopes.

🛡️

Data Protection

Encryption at rest + in transit, key rotation, data masking and secure backups for every therapy record.

🏛️

Infrastructure Security

Network isolation, WAF, DDoS protection, intrusion detection and hardened container + cloud images.

🔭

Monitoring & Threat Detection

24×7 application, API and infrastructure monitoring with real-time alerts and runbooks.

📑

Compliance & Governance

Audit logging, secure SDLC, privacy controls and a roadmap toward SOC 2, ISO 27001, HIPAA-aligned and GDPR readiness.

🛟

Business Continuity

Automated backups, point-in-time recovery, replication, failover and tested recovery procedures.

🔐 IAM

Secure Identity Management

Eight identity controls converging on a 4-step access flow — User → Authentication → Authorization → Resources.

OAuth 2.0OpenID ConnectJWTRBACSSOMFAPassword PoliciesSession Management
Access flow

User → Authentication → Authorization → Resources

🧑User🔐Authentication🪪Authorization🗄️Resources
🏢 Multi-Tenant

Secure Tenant Isolation

Hard isolation across organisations, centres, roles, data and permissions — cross-tenant leakage is structurally prevented.

🏢Organisation Isolation
🏬Centre Isolation
🧭Role Separation
🗄️Data Segregation
🛡️Permission Boundaries
🧾Audit Tracking
Isolation diagram

Three tenants · zero shared surfaces

Tenant
Tenant A
🔒 DB
🔒 Cache
🔒 Search
🔒 AI knowledge
Tenant
Tenant B
🔒 DB
🔒 Cache
🔒 Search
🔒 AI knowledge
Tenant
Tenant C
🔒 DB
🔒 Cache
🔒 Search
🔒 AI knowledge

Every datastore, cache, search index and AI knowledge base is scoped per tenant. Cross-tenant queries fail closed.

🗄️ Data Protection

Protecting Sensitive Therapy Data

Six data categories covered by five always-on security controls.

Data categories

What we protect

🩺Therapy Records
📋Assessment Reports
👨‍👩‍👧Family Information
📅Session History
💳Payment Data
📊Centre Analytics
Security controls

How we protect

  • Encryption At Rest
  • Encryption In Transit
  • Key Rotation
  • Secure Backups
  • Data Masking
🔐 Encryption

Encryption Everywhere

Six encryption surfaces covering transport, storage, backups and secrets.

🔐TLS 1.3
🌐HTTPS
🗄️Database Encryption
📦Object Storage Encryption
💾Backup Encryption
🗝️Secrets Management
🧾 Audit

Complete Audit Visibility

Eight tracked action types and a queryable, exportable audit log per tenant.

Tracked actions

Every meaningful action

LoginLogoutRecord AccessRecord ChangesTherapy Plan UpdatesSession UpdatesPayment ActionsRole Changes
Audit Timeline● Live
Login
Dr. Priya N. · IP 203.0.•••
11:42:18OK
Record Access · Aarav · child_001
Dr. Priya N. · IP 203.0.•••
11:43:02OK
Therapy Plan Update · Plan-48201
Dr. Priya N. · IP 203.0.•••
11:44:21Warn
Role Change · grant 'Billing'
Anika V. (Admin) · IP 10.0.•••
11:46:09Alert
Payment Action · ₹3,480 captured
Karthik V. · IP 203.0.•••
11:48:55OK
🏛️ Infrastructure

Enterprise Infrastructure Security

Ten controls across network, application and runtime — defence-in-depth from the edge to the container.

🛡️API Gateway Protection
🧱Network Isolation
🔥Firewalls
🌐WAF
🚧DDoS Protection
⚖️Load Balancers
🔭Monitoring
🚨Intrusion Detection
📦Container Security
☁️Cloud Security
🔌 API Security

API Security Controls

Eight controls plus a 5-hop request flow — every call is authenticated, scoped, rate-limited and observed.

🔐OAuth 2.0
🪪JWT Validation
⏱️Rate Limiting
📍IP Restrictions
🎯Scope Validation
🪝Webhook Verification
🖋️Request Signing
📡API Monitoring
Request flow

Client → TLS → Gateway → Auth + Scope → Service

📱Client🔐TLS🛡️Gateway🪪Auth + Scope🔌Service
✦ AI Security

Responsible AI Architecture

Seven controls so RAG, agents and therapy copilots remain useful — without leaking data across tenants.

📚RAG Security
🤖Agent Security
🗂️Knowledge Isolation
🛡️Prompt Protection
📑Data Governance
🔐Access Controls
🧾Auditability
✦ Therapy knowledge never leaks across tenants — RAG, embeddings and agent state are scoped per tenant by default.
🪪 Privacy

Privacy By Design

Eight first-class privacy capabilities — families and centres always own and control their data.

👤Data Ownership
🪪Customer-Controlled Data
📤Export Capabilities
🗑️Deletion Requests
🗂️Retention Policies
Consent Management
📜Access Logs
🔍Transparency Controls
📑 Compliance

Compliance & Governance

Honest disclosure — what is in place today, and what's on the published roadmap. No certifications claimed before achieved.

✓ Current Status
  • Security Best Practices
  • Privacy Controls
  • Audit Logging
  • Secure Development Lifecycle
➜ Future Roadmap
  • SOC 2
  • ISO 27001
  • HIPAA-aligned Controls for Therapy Records
  • GDPR Readiness
  • Data Residency Controls

* We don't claim certifications we haven't achieved. Status is updated as audits complete.

🔭 Monitoring

24×7 Monitoring & Detection

Eight monitoring surfaces feed real-time alerts, runbooks and dashboards.

🖥️Application Monitoring
🏗️Infrastructure Monitoring
🔌API Monitoring
📡Security Events
🛡️Threat Detection
🚨Incident Response
🔔Real-Time Alerts
📊Security Dashboards
🛟 Continuity

Business Continuity

Seven always-on capabilities for backups, replication, failover and tested recovery.

💾Automated Backups
⏮️Point-In-Time Recovery
🔁Database Replication
🟢High Availability
🛟Failover Systems
📜Recovery Procedures
🧭Business Continuity Plans
🧑‍💻 SDLC

Security From Design To Deployment

Eight stages — every release moves through the same secure pipeline.

📋Stage 1Requirements🏛️Stage 2Architecture Review🧑‍💻Stage 3Code Review🛡️Stage 4Security Testing🎯Stage 5Penetration Testing🚀Stage 6Deployment Review🔭Stage 7Monitoring🔁Stage 8Continuous Improvement
🤝 Shared Responsibility

Shared Responsibility Model

What BloomSenz owns vs what the therapy centre owns — clear lines, no surprises.

✦ BloomSenz Owns
  • Platform Security
  • Infrastructure Security
  • Monitoring
  • Backups
  • Tenant Isolation
🧑 Customer Owns
  • User Management
  • Password Policies
  • Permission Management
  • Device Security
  • Security Awareness
❓ FAQ

Security Questions, Answered

Eight of the most common security questions teams ask before standardising on BloomSenz.

How is data encrypted?

All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Keys are rotated regularly and managed via a hardened secrets manager.

Where is data stored?

Customer data is stored in regional cloud regions chosen with each therapy centre. Data residency options are part of every enterprise rollout.

How are backups handled?

Automated, encrypted backups run on a continuous schedule with point-in-time recovery and tested restore runbooks.

Can I export my data?

Yes. Customer-controlled export is available across child records, therapy history, sessions and finance — via UI and API.

How is tenant isolation implemented?

Hard isolation at organisation, centre and role scopes — enforced in business services, datastores and audit logs. Cross-tenant leakage is structurally prevented.

How secure are AI features?

RAG, agents and prompts run inside per-tenant scopes. Therapy knowledge never leaks across tenants and every AI action is logged for auditability.

Can I use SSO?

Yes — enterprise SSO via OpenID Connect / SAML and MFA enforcement are available for all paid customers.

What audit logs are available?

Login, record access + changes, therapy plan updates, session changes, payment actions and role changes — exportable and queryable per tenant.

📁 Download Center

Security Resources

Seven documents your security and procurement teams can request — request via the security team.

🛡️

Security Overview

↓ Request access
🏛️

Architecture Guide

↓ Request access
📜

Privacy Policy

↓ Request access
📑

Terms of Service

↓ Request access
🤝

Data Processing Agreement

↓ Request access

Security FAQ

↓ Request access
🚨

Incident Response Policy

↓ Request access
🟢 Reliability

Built For Reliability

Eight always-on numbers that customer security teams can quote back to leadership.

🟢
99.98%
Platform Availability
🔭
24×7
Monitoring
🛡️
Hard
Multi-Tenant Isolation
🔐
AES-256
Encrypted Data
👥
RBAC
Role-Based Access
🧾
Live
Audit Logging
💾
Auto
Backups
🪪
SSO+MFA
Enterprise Authentication
🛡️ Security & Trust Center

Security you can trust. Platform you can scale on.

Protect your therapy centre operations, family data and care delivery with enterprise-grade security built into BloomSenz.

Security ReviewDPA + Architecture Q&AReference Centres