Controls
Updated Feb 2026Infrastructure Security
- Supabase enterprise-grade PostgreSQL hosting
- Automatic backups with point-in-time recovery
- DDoS protection and WAF enabled
Organizational Security
- Role-based access control (RBAC)
- Security awareness training for all staff
- Incident response plan documented
Product Security
- 100% Row-Level Security on all tables
- AES-256 encryption for PHI at rest
- TLS 1.3 encryption in transit
Internal Security Procedures
- Immutable audit logs with 6+ year retention
- Break-glass emergency access with justification
- Session timeout enforcement
Data Supported
Patient PIIProtected Health Information (PHI)Employee PIIPayment Information
Subprocessors
Supabase·Database & Authentication
PostgreSQL database, authentication, and storage infrastructure.
Anthropic·AI Processing
Claude AI for clinical documentation and workflow automation.
Stripe·Billing & Payments
Payment processing, subscription management, and invoicing.
Twilio·SMS Communications
Patient appointment reminders and two-factor authentication.
Resources
Certificates
- SOC 2 Type II Report
- ISO 27001 Certificate
Audit Reports
- Penetration Test Summary
- Vulnerability Assessment
FAQ
Updates
Feb 2026Compliance
SOC 2 Type II Audit Preparation
We've begun formal preparation for our SOC 2 Type II audit with controls mapping and evidence collection underway.
Jan 2026Security
Enhanced PHI Field-Level Encryption
Deployed dedicated encrypted_phi_fields table with AES-256-GCM encryption for high-risk patient identifiers.