AptixLabs builds health applications under a compliance-first architecture. Not as a sticker — as a default. The controls below are running on UltraFit360 today and are the baseline for any health product the studio ships.
Encryption + minimisation
UltraFit360 minimises personally identifiable health information to the smallest viable schema. Data is encrypted at rest in Firestore with Google-managed keys, and every write that touches PHI routes through Cloud Functions so the audit trail is centralised and the rule surface stays small.
Legal alignment
Business Associate Agreements are signed with subprocessors that touch protected data. The privacy policy maps every data category to a lawful basis under GDPR and a corresponding clause under India's DPDP Act 2023. The mapping is reviewed quarterly — not just at launch.
The customer-isolated option
For clients who need a stronger posture, the studio can deploy into a customer-owned Google Cloud project with VPC Service Controls and customer-managed encryption keys. The customer holds the keys, the studio holds the code. Either party can revoke access cleanly.
What we don't claim
- AptixLabs is not currently SOC 2 certified — the controls align with SOC 2 principles but the audit hasn't happened
- No HITRUST certification
- No ISO 27001 — these are partner-driven engagements, not commodity SaaS