Last reviewed: 2026-05-02.
Compliance posture
- HIPAA Security Rule (45 CFR §§ 164.308–164.318) safeguards implemented.
- Annual risk analysis (§ 164.308(a)(1)(ii)(A)).
- Annual external penetration test.
- Quarterly authenticated web app vulnerability scan.
- SOC 2 Type II — in progress.
Encryption
- At rest: AES-256 on Postgres, Valkey, Spaces, all managed by DigitalOcean. Field-level encryption (Fernet) for particularly sensitive PHI columns (encrypted_member_id, etc.).
- In transit: TLS 1.2+ end-to-end. PG SSL required. Redis TLS required. HSTS preload.
- Key management: keys held by the cloud provider under BAA scope. We do not export raw keys.
Access control
- Role-based access control with least-privilege defaults.
- Two-factor authentication available; required for staff with PHI access.
- Workforce clearance and termination procedures (/legal/access-provisioning).
- Quarterly access reviews surfaced via the Officer Checklist
(
/superdashboard/compliance/checklist). - Break-glass emergency-access procedure with mandatory audit and next-business-day review.
Audit logging
- Every authenticated dashboard action writes an
AuditLogrow with actor, action, target, IP, UA, and metadata. - Rows are tamper-evident: each row's
entry_hash = sha256(prev_hash || canonical_payload). The Security Officer runs the chain verifier at least monthly. - Retention: 6 years (§164.530(j)).
Incident response
- Documented runbook at /docs/hipaa/policies/breach-notification.md.
- Security Officer 24/7 on call.
- Initial reportable-breach determination within 4 hours of discovery; § 164.404 60-day individual notification clock tracked per-incident in the dashboard.
Reporting a vulnerability
Email [email protected] with details. We acknowledge within 24 hours and provide a status update within 5 business days. Coordinated disclosure preferred.