Back to Portal
HTTPS Only

Trust & Security

Security Overview

Last updated: April 2026

Cliniqa handles sensitive medical laboratory data. Security is a first-order concern at every layer of the platform. This page summarises the controls we have in place to protect your data and your patients’ information.

256-bit TLS Encryption in Transit

All communication between your browser and Cliniqa servers uses HTTPS with TLS. Unencrypted HTTP connections are automatically redirected.

AES-256 Encryption at Rest

All data stored on our cloud infrastructure — including uploaded result documents, account data, and database records — is encrypted at rest using AES-256 via our cloud storage provider.

JWT Authentication with Short-Lived Tokens

Authentication uses signed JSON Web Tokens. Access tokens expire after 30 minutes. Refresh tokens are rotated on each use and invalidated on logout or password reset.

Role-Based Access Control (RBAC)

Three permission levels — Owner, Admin, and Staff — ensure each team member can only access the features and data appropriate to their role.

OTP Verification

One-time passwords are required for new account registration and password resets. OTPs are single-use, time-limited, and delivered via email.

Rate Limiting

All API endpoints are protected by rate limiting to defend against brute-force attacks and credential stuffing. Authentication endpoints have stricter limits.

Audit Logging

Key actions — including logins, result pushes, result authorisations, and staff account changes — are recorded in an immutable audit log retained for 90 days.

NDPA 2023 Compliance

Our data practices are designed to comply with the Nigeria Data Protection Act 2023 (NDPA 2023) and NDPC guidelines, including lawful basis for processing, data subject rights, and data minimisation.

Infrastructure & Access

  • Production infrastructure is hosted on managed cloud services with network-level access controls and private subnets for databases.
  • Administrative access to production systems requires multi-factor authentication and is restricted to named personnel on a need-to-know basis.
  • Database credentials, API keys, and secrets are managed via environment-level secret stores and are never stored in source code.
  • Database schemas are isolated per functional module — no cross-module foreign keys — limiting the blast radius of any single component.

Application Security

  • Passwords are hashed using BCrypt with a minimum cost factor of 12 before storage. Plaintext passwords are never stored or logged.
  • Uploaded files are validated by file signature (magic bytes) before processing to prevent malicious file uploads.
  • All API inputs are validated and sanitised. SQL injection, XSS, and CSRF protections are applied at the framework level.
  • Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options) are applied on all responses.
  • Third-party dependencies are audited periodically for known vulnerabilities.

Incident Response

In the event of a confirmed data breach affecting personal data, we will notify affected customers and, where required, the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the incident, in accordance with our obligations under the NDPA 2023. Notifications will include the nature of the breach, the categories of data affected, and the remediation steps taken.

Responsible Disclosure

We welcome security researchers who responsibly disclose vulnerabilities in the Cliniqa platform. If you discover a potential security issue, please report it to us before disclosing it publicly.

Report a Vulnerability

Email support@cliniqa.cloud with the subject line Security Vulnerability Report. Please include a clear description of the issue, steps to reproduce, and your contact details. We will acknowledge your report within 3 business days and keep you informed as we investigate.

We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and address it. We do not currently offer a bug bounty programme, but we are grateful for responsible disclosures.

Compliance & Certifications

NDPA 2023Active

Our data practices are designed to comply with the Nigeria Data Protection Act 2023.

HTTPS / TLSActive

All traffic is encrypted in transit. Unencrypted access is not permitted.

AES-256 at RestActive

Stored data is encrypted at rest via cloud provider-managed encryption.

Security Questions

If you have questions about security practices not covered here, or if you represent an enterprise customer with specific security requirements, contact us at support@cliniqa.cloud.

© 2026 NesChade Global Ltd. All rights reserved.

Privacy PolicyTerms of ServicePortal Login