Security Posture Overview
Transparent, deterministic controls ensure every patient interaction is protected. Use this overview to navigate our HIPAA stance, encryption posture, access controls, and audit standards. Jump directly to HIPAA & BAA or Access Control & RLS for deeper reference.
HIPAA & BAA
Administrative, physical, and technical safeguards backed by signed BAAs for every subcontractor.
Encryption & Key Management
End-to-end encryption with rotation runbooks for database, LiveKit, and notification secrets.
Access Control & RLS
Azure Entra identity, Supabase RLS, and delegated service accounts enforce least privilege.
Audit Logging
Immutable audit trail with structured events, correlation IDs, and retention aligned to payer requirements.
Need deeper evidence (RLS matrices, incident runbooks, SOC artifacts)? Request access to the private documentation bundle via Partner Ops.
Security FAQs
- Do you sign a BAA? - Yes. We execute a BAA with partners and maintain BAAs with all subcontractors handling PHI.
- Where is data stored? - In our Supabase project’s configured region with encrypted storage and backups.
- How do you control access? - Azure Entra SSO for staff; RLS policies enforce tenant‑ and role‑level isolation in Postgres.
- How long do you retain logs? - Audit logs are retained to meet payer and regulatory requirements; extended retention available by request.
- How do you handle incidents? - We follow a documented IR playbook with defined SLAs and notification timelines; detailed evidence is available privately on request.
Compliance Checklist
| Control Area | What to Review | Artifacts |
|---|---|---|
| Privacy & Consent | Patient consent flow, opt-out handling | Partner Ops portal demo, consent schema |
| Data Residency | Supabase region, backup replication | Supabase config, Pulumi plan (coming) |
| Vendor Alignment | Sub-BAAs and security questionnaires | Vendor evidence index (private) |
| Incident Response | Escalation matrix and breach notification timeline | Incident Response Playbooks (private) |
