Platform — Admin · Consent · Models · Status
The governance spine. What separates Averra from any other health product: every action is logged, every model has a card, every consent is revocable, every outage is public.
averra.health / admin / access
SSO · SRE group · 2 approvers present
Platform
Governance
Identity & access
Consent ledger
Model registry
Audit log
Data-subject requests
Reliability
Status · incidents
API portal
Integrations
Compliance
PDPL register
DHA / MOHAP mapping
Identity & access · 428 users
SoD matrix · quarterly recert · last completed 31 Mar · 94% compliance
AllClinician 184Admin 22Ops 31Recert-due 26
| User | Role | Scope | Last review | SoD conflicts | |
|---|
| Dr. F. Al Hashimi | Clinician · GP | Panel 412 · no admin | 28 Mar · self | — | ok |
| M. Kuriakose | SRE · prod | Break-glass 2-of-2 | 14 Apr · mgr | — | ok |
| S. Farahani | DPO | Audit read-all · no write | 02 Apr · board | — | ok |
| A. Boutros | Finance · AR | Claims read · no patient | 03 Jan · due | — | recert |
| R. Das | Data scientist | k≥20 only · no raw | 12 Feb | ⚠ also claims-edit | conflict |
Separation of duties · R. Das
Assigned both "data-science · k≥20" + "claims · edit". Violates SoD rule 7 (no cross-PHI write).
Risk · high
Auto-action · freeze edit role · notify manager
Owner · S. Farahani (DPO) · decision due 22 Apr
Freeze · require ackException · 30d
Break-glass · this week
3 events · all 2-of-2 · all logged
● 16 Apr 02:14 · SRE+DPO · SIEM anomaly
● 18 Apr 09:02 · SRE+mgr · failed rollback
● 19 Apr 14:41 · SRE+DPO · patient data export request
↳ no solo prod access · ever
averra.health / admin / consent
Platform
Governance
Identity & access
Consent ledger
Model registry
Audit log
Data-subject requests
Consent ledger · immutable record
Every grant · every revocation · every data touch. Member-visible (their own view). Regulator-exportable on demand.
Revocations · last 30d
847
normal baseline · 600–900
Member-initiated exports
62
PDPL art. 15 · avg 22h SLA
| Time (UTC) | Member | Scope | Party | Basis | Action | Txn |
|---|
| 20 Apr 08:14:22 | AAM-48291 | Tier-1 · labs+meds | Dr. F. Al Hashimi | consult | granted | a47f… |
| 20 Apr 08:02:11 | OAS-10044 | Tier-0 · vitals | Family (spouse) | care proxy | granted | bc82… |
| 19 Apr 21:47:03 | RBH-22110 | Referral packet | Dr. A. Iskandar | referral | granted | 9e31… |
| 19 Apr 19:22:40 | PRM-77831 | Research · cohort 2031 | Internal · RWE | opt-in · 2024 | revoked | 1f40… |
| 19 Apr 18:09:55 | FAZ-65502 | Pharmacy · Aster | Pharmacy | dispensing | granted | 3a1b… |
| 19 Apr 17:55:02 | JKR-30081 | Full export · self | Member | PDPL art. 15 | exported | 7c9d… |
Revocation propagation
When a member revokes, we propagate within SLA to every downstream holder. Each echoes an ack hash back.
PRM-77831 · research cohort revoke · 19 Apr 19:22
ETL pipeline · ack 19:22:04
Analytics warehouse · ack 19:22:11
ML feature store · ack 19:22:38
Downstream pharma partner · ack 20:14:02
All within 24h · SLA green
What the member sees
The same ledger, filtered to their own. Every row is plain language: "14 Apr — Dr. Fatima read your labs during your consult." One tap to revoke anything still revocable.
averra.health / admin / models
Platform
Governance
Identity & access
Consent ledger
Model registry
Model registry · 23 production models
Every model used in patient care has a card, a version, a bias audit, an owner, and a kill-switch.
| Model | Use | Ver | Owner | Last audit | Drift | Bias | Kill |
|---|
| triage-v3 | Symptom → urgency | 3.2.1 | Clinical AI | 12 Apr | 0.03 | pass | ◉ |
| readmit-30d | Hospital readmission | 2.1.0 | Ops | 02 Apr | 0.11 | review | ◉ |
| cie-guideline-concord | Clinical integrity | 4.0.2 | Clinical AI | 18 Apr | 0.04 | pass | ◉ |
| noshow-risk | Appointment no-show | 1.5.0 | Ops | 22 Mar | 0.06 | nationality skew | ◉ |
| twin-metric-synth | Twin visualization | 0.9.3 | Member | 10 Apr | 0.02 | pass | ◉ |
| readmit-30d · v2.0 | retired | 2.0.4 | — | archived | — | — | — |
Model card · triage-v3
Purpose · classify member-described symptoms into 5 urgency tiers
Training · 428k anonymised UAE consultations, 2021-2025
Performance · sens 0.94 · spec 0.88 · AUC 0.93
Failure modes · under-triages cardiac in <35F; mitigated by red-flag rulebook
Bias audit · 18 Apr · equal AUC across gender, 4 nationalities, Arabic/English
Human oversight · all Tier 4-5 routed to clinician within 4h
Kill-switch · single-actor, logged, defaults to rulebook-only triage
readmit-30d · drift alert
Drift 0.11 · threshold 0.08. Cause hypothesized: post-winter respiratory admission shift. Owner paged 16 Apr.
◉ shadow · v2.2-rc1 running in parallel
◉ 14d decision window · then promote or rollback
◉ clinicians unaffected — using prior stable
View shadow metrics
status.averra.health
● all systems operational
Status · public
Published uptime · 30 day rolling · named authors on every RCA
99.97% · 30dlast incident · 02 Apr
Member apps
iOS · Android · 100%
Web · 100%
Ask / triage · 100%
Clinician
Workspace · 100%
e-Prescribe · degraded · 97.2%
SOAP / CIE · 100%
External integrations
NABIDH (Dubai) · 100%
Malaffi (Abu Dhabi) · 100%
eClaimLink · 99.9%
UAE Pass · deg · OTP delay
Incident · INC-2042 · 16 Apr
Severity SEV-1 · data exfil anomaly · contained in 14 min
Impact 42 records touched · no confirmed loss · 240k rows quarantined
Author S. Farahani (DPO), M. Kuriakose (SRE lead) — RCA posted 19 Apr
What we're changing 1) service account egress defaults to deny; 2) anomaly threshold on volume lowered 60%; 3) 2-of-2 break-glass mandatory for any export > 10k rows.
Commitment public 90-day verification, independent audit Q3 2026.
↳ Platform isn't a feature list — it's the receipts. Every choice above is publicly visible or member-visible by default; private by exception only.