Security Policy

Last updated: June 2026. Learn about the standards and technologies keeping NearRx secure.

1. Information Security & Compliance Standards

At NearRx, maintaining the security, integrity, and confidentiality of customer healthcare records, transaction details, and pharmacy partner credentials is our absolute priority. We implement robust logical, administrative, and technical controls across our cloud architecture to protect data against unauthorized access, alterations, disclosure, or destruction. Our security program is designed to align with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

2. Advanced Authentication & Session Management

We secure all client access endpoints (User App, Pharmacy App, and Admin Panel Dashboard) using Firebase Authentication services. User and partner passwords are never stored in plain text; they are encrypted, salted, and hashed cryptographically on Firebase's authentication servers. Communication between application clients and Firebase is governed by secure JSON Web Tokens (JWT) that expire automatically. Any administrative dashboard operations require strict token verification, preventing session hijacking or credential spoofing.

3. Strict Firebase Realtime Database Security Rules

Our Firebase Realtime Database is protected by custom server-side security rules that enforce a strict need-to-know model. The database rules enforce that: (a) Customers can only read and write their own profile records and specific placed orders; (b) Pharmacy and Laboratory partners can only read customer orders explicitly matched and assigned to them; and (c) General unauthenticated reads and writes are blocked entirely across sensitive data nodes. This rule system ensures partition isolation at the database layer.

4. Secure Cloud Storage & Media Access Control

Prescription images, business licenses, and Aadhaar document uploads are saved to private buckets in Firebase Cloud Storage. We utilize custom security rules to enforce that only the uploading user, the matched partner pharmacy, or verified administrators can read these files. Cloud Storage objects cannot be accessed via public, unauthenticated URLs. Any media download link generated in the app uses time-limited, signed URLs that expire after a set duration, mitigating the risk of data leakage.

5. Simulated Aadhaar OTP Security Architecture

During the partner onboarding flow on the Pharmacy App, Aadhaar identity verification is performed. To protect partner privacy and avoid handling raw government credentials, NearRx utilizes a secure, simulated Aadhaar verification sequence. The system validates formatting and processes a mock 4-digit security code entry client-side, verifying the identity flow without capturing, caching, or transferring raw biometric keys, Aadhaar numbers, or national registry tokens to our backend databases.

6. Threat Intelligence & Vulnerability Management

We actively manage and monitor the libraries, dependencies, and plugins utilized in our Flutter applications and Web Dashboard to mitigate supply chain risks. We perform regular package audits, run automated static code analyzers (such as `flutter analyze`), and patch any outdated or vulnerable packages. Our database schemas and storage rules are subjected to constant review to prevent injection attacks, logical privilege escalations, and API vulnerabilities.

7. GCP Infrastructure & Physical Security

NearRx is built on the Google Cloud Platform (GCP) infrastructure. All data in transit is encrypted using industry-standard TLS 1.3 / SSL protocols, and data at rest in our databases and storage buckets is encrypted using Google's AES-256 standard encryption keys. GCP datacenters maintain the highest levels of physical security and comply with rigorous international standards, including ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, and SOC 3.

8. Incident Response & Reporting

In the event of a detected data breach, service compromise, or security incident, we have an emergency response protocol. We will notify affected users and regulatory bodies within the timelines mandated under applicable Indian cyber laws. If you identify any security vulnerability on our platform, please report it immediately to our security team at shubhamnath143@gmail.com.