Built for medical data
from day one.

Least privilege by default

Every agent, user, and service account gets only the access it needs. Nothing wider.

Fail closed, not open

If authentication fails or a policy check errors, the request is denied. Silent fallback to open access is never acceptable.

Audit everything that touches PHI

Every query against patient data is traced. The HIPAA audit agent watches those traces for anomalies in real time.

Only ship what we can defend

We'd rather delay a feature than add an attack surface we don't fully understand.

Row-Level Security on every table

Supabase Postgres with RLS enabled on every table that touches patient data. Every query is scoped to the authenticated user's organization at the database layer.

• Policies enforced in the database, not just the application
• Cross-organization data access is physically impossible
• Service-role key is never exposed to the browser

Clerk for authentication

All sign-in, session, and multi-factor flows run through Clerk. We don't store passwords, we don't reinvent auth, and every request carries a verified user ID.

• Managed email/password + magic link + social sign-in
• Per-user MFA available
• Session tokens validated on every API route via middleware

Encrypted at rest and in transit

Data sitting in the database is encrypted at the disk level. Data moving between your browser, our backend, and every downstream provider rides TLS.

• AES-256 at rest via managed Postgres
• TLS 1.2+ enforced on every API and webhook
• HSTS enabled on the marketing and dashboard domains

HIPAA-compliant infrastructure

Every subprocessor that touches PHI has a signed BAA before it's turned on in production. Database, auth, phone, SMS, email — all covered.

• BAAs in place with every data subprocessor
• Principle of least privilege across agents and services
• HIPAA audit agent monitors PHI access patterns continuously

No PHI in logs

Our logging pipelines strip protected health information before anything leaves the application. If we can't debug without the data, we collect it under your supervision.

• Patient names, phone numbers, and insurance IDs are redacted
• Error tracking (Sentry) is scoped to stack traces, not payloads
• Audit trail table records who accessed what

CSP + hardened headers

Every page served by the dashboard ships with a strict Content Security Policy. No eval, no inline script injection surface, no third-party script pulled in without review.

• Strict CSP limits where scripts and frames can load from
• X-Frame-Options, X-Content-Type-Options, Referrer-Policy set at the edge
• Subresource integrity on any cross-origin assets

Input sanitization at every boundary

Every form, webhook, and agent-ingested field runs through typed schema validation before data ever reaches the database.

• Zod schemas validate every API route body and query
• TypeScript strict mode prevents accidental data leaks
• Rate limiting on auth and public form endpoints

Role-scoped dashboard access

Staff see what they need to see, and nothing else. Admins see audit trails. Providers see their patient panel. Front desk sees scheduling and intake.

• Role-based dashboard views
• Feature flags for phased rollouts
• Every mutation written to audit log with user + timestamp

Managed, reviewed infrastructure

Vercel for the web tier, Supabase for Postgres + auth, a dedicated FastAPI worker for AI-agent execution. Every layer managed by vendors with strong security posture.

• Vercel Pro with per-environment secrets and branch isolation
• Supabase Pro with automated backups and point-in-time recovery
• FastAPI workers on Railway with per-service env scoping