— Trust & compliance

HIPAA, GDPR and DPDP without the theatre.

Compliance-first architecture from day one — encryption, BAAs, quarterly access reviews, customer-owned GCP project for partners who need it. No badges, just controls that actually run.

4 min readUpdated 2026-06-02By Aryan Singh Pokharia, Founding Member & Lead Developer
Close-up of a circuit board, representing secure infrastructureAptixLabs · 2026-05-10

AptixLabs builds health applications under a compliance-first architecture. Not as a sticker — as a default. The controls below are running on UltraFit360 today and are the baseline for any health product we ship.

Encryption + minimisation

UltraFit360 minimises personally identifiable health information to the smallest viable schema. Data is encrypted at rest in Firestore with Google-managed keys, and every write that touches PHI routes through Cloud Functions so the audit trail is centralised and the rule surface stays small.

Legal alignment

Business Associate Agreements are signed with subprocessors that touch protected data. The privacy policy maps every data category to a lawful basis under GDPR and a corresponding clause under India's DPDP Act 2023. The mapping is reviewed quarterly — not just at launch.

The customer-isolated option

For clients who need a stronger posture, the studio can deploy into a customer-owned Google Cloud project with VPC Service Controls and customer-managed encryption keys. The customer holds the keys, the studio holds the code. Either party can revoke access cleanly.

What we don't claim

  • AptixLabs is not currently SOC 2 certified — the controls align with SOC 2 principles but the audit hasn't happened
  • No HITRUST certification
  • No ISO 27001 — these are partner-driven engagements, not commodity SaaS

Why "we'll add compliance later" never works

Compliance is an architecture decision, not a feature you bolt on before launch. If protected health data is scattered across a dozen collections with no central audit path, retrofitting encryption, access logging and a lawful-basis map is a rewrite — and it always lands at the worst possible time, right before a deal that requires it. Building the minimal-PHI schema and the centralised write path on day one costs almost nothing; retrofitting it costs a quarter.

What we tell clients who ask "are we compliant?"

Compliance is not a binary you achieve once. It is a posture you maintain: the controls run continuously, the lawful-basis map is reviewed quarterly, and any new data field is checked against it before it ships. We would rather a partner understand that than hand them a certificate that lulls them into thinking the work is finished. The honest version builds more trust than the marketing version — and it is the version regulators actually reward.

Have a project like this?

The studio is taking on a small number of partners. Tell us what you're building — we reply within a working day.

Start a conversation