Boring choices,
honestly described.
The interesting parts of healthcare are the medicine and the people. Everything underneath should be predictable, fast, and well-defended.
Six things we did on purpose.
- Phone OTP
Six-digit code, bcrypt-hashed in our database, three attempts before lockout. Standard, well-tested, boring.
- Optional 2FA
TOTP enrolment for any account. We recommend it for providers. We don't auto-enrol — that's your call.
- Short access tokens
JWT access tokens expire in 15 minutes. Refresh tokens live for 7 days and are revocable on the server.
- Encrypted in transit
TLS 1.3 everywhere. ZegoCloud video uses WebRTC with DTLS-SRTP for media.
- Brute-force resistance
Login and OTP endpoints are rate-limited per IP and per identifier, with progressive backoff.
- CNDP consent for AI
Optional AI-assisted prescription parsing is a separate, explicit opt-in stored in your account record, per Moroccan law.
What we do, don't do, can't yet claim.
- We do
Encrypt all traffic with TLS 1.3. Hash passwords with bcrypt (cost 12). Use short-lived tokens and revocable refresh.
- We don't
Sell your data. Show ads. Use third-party trackers. Record video consultations. Read your messages.
- We can't honestly claim (yet)
Full HIPAA compliance — we follow Moroccan CNDP law, which is GDPR-equivalent, not HIPAA. SOC 2 audit — not done. ISO 27001 — not done. We'll say so the moment we do them.
Found a security bug?
Write to security@sanpha.ma. We acknowledge within one working day and credit you publicly once a fix is shipped, if you'd like.
- Initial acknowledgement within one working day.
- Triage and severity within five working days.
- Please do not test on accounts you do not own. No phishing, social-engineering or DoS.
- Bounties — yes, on a case-by-case basis for valid findings.
Read the privacy notice.
Plain language. No dark patterns. No selling, ever.