🛡️

Your health data deserves
serious protection.

Dinara handles your most sensitive information — conditions, medications, symptoms, and body data. We protect it with the same standards used by banks and hospitals.

A+

SSL Rating

Qualys SSL Labs

TLS 1.3

Encryption

Latest protocol

HSTS

Strict Transport

2-year preload

RLS

Row Level Security

Every table

CSP

Content Security Policy

Full whitelist

WAF

Web Application Firewall

DDoS + bot protection

Permission Controls

Per professional

Full

Audit Logging

Every access logged

Infrastructure security

🔐

TLS 1.3 Encryption in Transit

Every connection to Dinara is encrypted using TLS 1.3, the latest and most secure transport protocol. Older, vulnerable protocols are disabled. This is the same encryption standard used by major banks.

🗄️

Encryption at Rest

Your data is encrypted on disk using AES-256 encryption via Supabase. Even if someone accessed the physical servers, your data would be unreadable without the encryption keys.

🛡️

HSTS Preload

HTTP Strict Transport Security is enabled with a 2-year max-age and preload flag. Your browser will never connect to Dinara over an insecure connection, even if you type http:// by accident.

🌐

Cloudflare Protection

All traffic passes through Cloudflare, providing DDoS protection, web application firewall (WAF), and bot mitigation. Malicious traffic is blocked before it reaches our servers.

🖥️

Dedicated Server

Dinara runs on a dedicated virtual private server, not shared hosting. Only authorised personnel have SSH access with key-based authentication. No password-based logins are permitted.

🔄

Automatic SSL Certificates

SSL certificates are automatically issued and renewed automatically. Certificates never expire or lapse, ensuring continuous encrypted connections.

🧱

Firewall and Network Isolation

A strict firewall permits only essential traffic. Internal services are not exposed to the public internet. Only HTTPS and SSH (key-based) connections are allowed.

🚨

Brute Force Protection

Automated systems monitor for suspicious login attempts and block offending IP addresses. Repeated failed attempts result in automatic temporary bans.

📋

Content Security Policy

A strict Content Security Policy controls which scripts, styles, and connections are allowed. This prevents cross-site scripting (XSS) attacks and unauthorised code injection.

🔄

Automatic Security Updates

The server automatically installs security patches as they are released. No manual intervention required — vulnerabilities are patched before they can be exploited.

Security headers

Every response from Dinara includes these security headers to protect against common web attacks:

Strict-Transport-SecurityActive

max-age=63072000; includeSubDomains; preload

Forces HTTPS for 2 years with preload list inclusion

X-Content-Type-OptionsActive

nosniff

Prevents browsers from MIME-type sniffing

X-Frame-OptionsActive

DENY

Prevents Dinara from being embedded in iframes (clickjacking protection)

Referrer-PolicyActive

strict-origin-when-cross-origin

Controls what information is sent in the Referer header

Permissions-PolicyActive

camera=(self), microphone=(), geolocation=()

Camera allowed only on dinara.uk (for barcode scanning). Microphone and location blocked

X-XSS-ProtectionActive

1; mode=block

Enables browser XSS filtering and blocks rendering if attack detected

Why this matters

Data breaches are not rare events. They happen constantly — to the biggest companies and most trusted institutions in the world. Health data is the most targeted and most valuable data on the black market.

The reality of health data breaches

3,820

personal data breaches reported across the UK health sector between 2023 and Q1 2025

300M

patient records stolen in a single 2024 ransomware attack on an NHS pathology provider

10,152

hospital appointments cancelled from that one attack alone

3TB

of patient data stolen from NHS Dumfries and Galloway in a separate 2024 attack

82,946

people affected by a 2022 cyberattack on NHS 111 services, leaking sensitive medical information

These numbers are likely underreported — not all breaches are required to be reported to the ICO.

Most breaches happen because of centralised databases, legacy systems, human error, and third-party vendors with weak security. A single point of failure exposes millions of records at once.

How Dinara is architecturally different

✕ Centralised databases — one breach exposes millions

✓ Row Level Security isolates every user. Even a code bug cannot expose another users data. The database itself enforces isolation.

✕ Human error — staff email patient data to wrong people

✓ There is no admin panel. No staff member can browse user health data. There is nobody to accidentally send your data anywhere.

✕ Legacy systems — built decades ago without encryption

✓ Built in 2026 with modern encryption (AES-256 at rest, TLS 1.3 in transit), security headers, and zero legacy code.

✕ Third-party vendors — outsourced IT providers get hacked

✓ Minimal third-party surface. Supabase (enterprise-grade database), Stripe (PCI Level 1 payments), Cloudflare (DDoS protection). No weak links.

✕ Patient data emailed or transferred insecurely

✓ GP reports are generated and downloaded directly on your device. Nothing is emailed, posted, or transmitted to third parties.

✕ Users have no control over their own data

✓ You control everything. Choose what your coach sees. Export your data anytime. Delete everything with one request.

Zero data breaches. By design, not by luck.

Our architecture makes mass data breaches structurally impossible — not just unlikely. Your health data is isolated, encrypted, and under your control at all times.

Data access controls

🔑

Row Level Security (RLS)

Every database table has Row Level Security enabled. This means you can only ever access your own data. Even if there were a bug in our code, the database itself enforces that users cannot see each other's information. This is the same approach used by enterprise SaaS platforms.

🔒

Authentication via Supabase Auth

User authentication is handled by Supabase Auth with bcrypt password hashing, secure session tokens, and automatic token refresh. Passwords are never stored in plain text.

👤

Coach Privacy Controls

If you work with a personal trainer through Dinara, you control exactly what they can see. Toggle visibility for weight, nutrition, health conditions, medications, and cycle data independently. Your coach only sees what you allow.

🗑️

Data Deletion

You can request deletion of all your data at any time. When you delete your account, all associated data is permanently removed from our systems.

📤

Data Export

Your data belongs to you. Export your health journal, medication history, and check-in data at any time through the GP Export feature or by contacting us.

Payment security

💳

Stripe Payment Processing

All payments are processed by Stripe, a PCI Level 1 certified payment processor (the highest level of certification). Dinara never sees, stores, or has access to your full card number.

🔐

No Card Data on Our Servers

When you subscribe, you are redirected to Stripe's secure checkout page. Your card details go directly to Stripe and never touch our servers.

🔄

Secure Webhooks

Stripe communicates with Dinara via signed webhooks. Every webhook is verified using a cryptographic signature to prevent tampering.

Healthcare data protection

When you share health data with medical professionals through Dinara, additional layers of protection are applied.

🎛️

18 Granular Permission Controls

Each connected healthcare professional can only see the data categories you explicitly allow. Medications, symptoms, blood results, sleep, mood, weight, cycle data — each toggleable independently per professional.

✅

Professional Verification

Healthcare professionals register with their NHS email and professional registration number (GMC, NMC, GPhC, or HCPC). Accounts with @nhs.net addresses are auto-verified. Patients see verified status before connecting.

📋

Full Audit Logging

Every time a healthcare professional views your data, adds a note, or uploads blood results, it is logged with a timestamp and their identity. You can view your full audit trail at any time in the app.

🚫

Instant Revocation

Revoke any professional access with one tap. Access is removed immediately — no waiting, no admin process, no forms. The professional can no longer see any of your data.

⏱️

Access Expiry

Set an expiry date on any professional connection. Useful for temporary consultations or second opinions. Access is automatically removed when the expiry date passes.

📝

Clinical Note Controls

When professionals add clinical notes, they choose visibility: private (only they can see), shared with patient, or shared with the healthcare team. You always see notes shared with you.

🩸

Blood Result Security

Blood results can only be uploaded by you or by a professional you have specifically granted write access to. Results are stored with structured data, not just images, enabling secure trend analysis.

👤

Patient-Controlled, Not Organisation-Controlled

Unlike NHS systems where organisations control data access, Dinara puts the patient in charge. No organisation, trust, or admin can grant access to your data. Only you.

What we will never do

✕Sell your health data to third parties

✕Share your data with advertisers

✕Show you advertisements in the app

✕Use your health data to train AI models without consent

✕Store your payment card details on our servers

✕Share your data with your employer or insurance company

✕Make your health conditions visible to other users

✕Allow healthcare professionals to access data you have not explicitly shared

✕Give organisations or NHS trusts control over your data sharing choices

✕Contact you with marketing without your permission

Notification privacy

Push notifications are entirely optional and require your explicit permission. Dinara uses the Web Push protocol with VAPID keys for secure, encrypted notification delivery.

Notification content is kept vague for privacy — we never include medication names, health conditions, or sensitive information in push notifications that could appear on a locked screen.

You can disable all notifications or toggle each type independently at any time in Settings.

Technology stack

Dinara is built on modern, battle-tested infrastructure:

Application

Next.js 15 (React)

Server-rendered for security

Database

Supabase (PostgreSQL)

Enterprise-grade with RLS

Authentication

Supabase Auth

bcrypt + secure sessions

Payments

Stripe

PCI Level 1 certified

CDN & WAF

Cloudflare

DDoS protection + caching

Web Server

Caddy

Auto HTTPS + security headers

Anthropic Claude

Data never used for training

Hosting

Dedicated VPS

Ubuntu with SSH key auth

Questions about security?

We take security seriously and are happy to answer any questions about how we protect your data.

Your health data deservesserious protection.