Security
How we keep your clients' data safe.
Plain answers to the questions your CTO and general counsel are going to ask, written by the engineering team. Last reviewed July 2026.
platform.health/admin/audit
LiveTimeEventChain
09:39:40Zbaa.countersignsystem#e5a90c77prev #48b3d6f1
09:39:12Zrx.approvedr.adams@northshore#48b3d6f1prev #a16c39e8
09:38:55Zticket.replysupport@platform#a16c39e8prev #d20f81b3
09:38:20Zexport.phi.completesystem#d20f81b3prev #9f3a21c4
09:41:07Zrx.approvedr.chen@halcyon#9f3a21c4prev #7b219e55
Who can sign in
Authentication
- Clerk for production identity. Email + password, magic link, passkey, and Google / Microsoft SSO out of the box. SAML / OIDC available on the Scale plan.
- Multi-factor authentication required on every admin account; recommended for staff and customers.
- Session tokens are short-lived (30m) with sliding refresh. Clerk owns the cryptographic primitives; we never see passwords.
- Internal platform-team admin surface is gated behind a second factor + IP allowlist + per-action audit log.
How money moves
Payments
- Each clinic is the merchant of record on its own Stripe account. Client funds settle directly to the clinic — we never hold, route, or aggregate money across merchants. We never touch card data either: Elements + tokenized SetupIntents only. PCI scope: SAQ A.
- Webhook signatures verified on every Stripe callback. Idempotency keys on every PaymentIntent, Refund, and settlement-ledger entry prevent double-charges under retry.
- Vendors invoice clinics at wholesale and settle net-30 via Modern Treasury ACH — no Stripe-Connect splits. Vendors complete KYB + bank verification before the first disbursement is allowed.
- Refunds and disbursements are append-only audited. Every attempt — successful or failed — is recorded with the actor, amount, and payment-object id.
HIPAA + state Rx
Client data (PHI)
- BAAs in place with: Stripe, Postmark, Twilio, Anthropic, OpenAI, Vercel, our managed Postgres provider. Available on request to qualified prospective customers.
- Per-tenant row-level security on every tenant-scoped Postgres table. A misconfigured query returns zero rows by default; cross-tenant reads are physically prevented at the database layer.
- State Rx compounding rules live in a structured policy database. Orders that cross a state line check the destination's rules; non-compliant orders block at checkout with a clear message.
- All data encrypted at rest (AES-256 via Postgres + S3) and in transit (TLS 1.3 only; HSTS preloaded; HTTP→HTTPS at the edge).
- Client export + deletion endpoints satisfy HIPAA right of access + GDPR right to erasure. SLAs: 30 days export, 90 days deletion (statutory retention exceptions documented).
Paper trail
Audit + observability
- Every operator-initiated mutation (refund, RMA, status change, ticket reply, subscription pause) writes an append-only audit row. The platform-team admin surface exposes the global feed; tenants see their own.
- Audit log is hash-chained — tampering with any historical row breaks every subsequent hash, detectable on verification. SHA-256 chain.
- Sentry for application errors. OpenTelemetry traces for the request → DB → AI provider chain. Logs shipped to a hosted aggregator with 90-day retention.
- Health endpoints (
/api/health,/api/ai/health) ping every required subsystem with per-probe timeouts. 503 returned only when a required subsystem is down — never silent.
Frameworks
Compliance
- HIPAA — BAAs in place with all subprocessors, technical safeguards (encryption, authentication, audit logs, access controls) implemented; admin training program in development.
- SOC 2 Type I — readiness audit Q3, expect report by EOY. Vanta for continuous compliance evidence collection.
- GDPR / CCPA — right of access, right to erasure, opt-out of sale, all wired. Cookie banner on every storefront.
- Prescriber-aligned dispensing — Rx products are gated behind a licensed clinician review flow. Every dispense is tied to a signed clinician note and a 503A pharmacy of record.
- Age verification — for restricted categories. 18+ acknowledgement required before any storefront browse on tenants in those categories.
Who sees what
Subprocessors
Complete list, what they process, and BAA status. Updated monthly; subscribe to subprocessor notifications via the footer.
| Vendor | Purpose | Data | BAA |
|---|---|---|---|
| Stripe | Clinic payments (each clinic’s own account) | Cards (tokenized) | In place |
| Modern Treasury | Vendor ACH settlement (net-30) | Vendor bank info, settlement ledger | Not required |
| Anthropic | AI generation (Claude) | Prompts; PHI when in client threads | In place |
| OpenAI | AI fallback (GPT) | Prompts; PHI when in client threads | In place |
| AI fallback (Gemini) | Prompts; PHI when in client threads | In place | |
| Postmark | Transactional + marketing email | Email addresses, content | In place |
| Twilio | SMS + voice | Phone numbers, content | In place |
| EasyPost | Shipping label generation | Shipping addresses | Not required |
| Hugging Face | Image generation (FLUX) | Prompts only — no PHI | Not required |
| ElevenLabs | Voice synthesis (concierge) | Synthesized audio only | Not required |
| HeyGen | Avatar video | Operator face / voice samples | Not required |
| Sentry | Error tracking | Stack traces, request metadata (no PHI in payloads) | In place |
| Supabase | Managed Postgres | All tenant data | In place |
| Vercel | Application hosting | Logs, metadata; encrypted at rest | In place |
| Cloudflare | CDN + edge | Edge cache only — no DB writes | Not required |
| Clerk | Authentication | Email + password hash; MFA tokens | In place |
When something breaks
Incident response
- On-call engineer 24/7. PagerDuty-rotated; first-acknowledge SLA: 5 min for P0, 30 min for P1.
- Status page at
status.joinplatformhealth.comauto-updates from the same health checks the dashboard uses. RSS + email + Slack-webhook subscriptions. - Customer notification within 4 hours for any incident affecting tenant data, regardless of root cause.
- Post-mortems published within 5 business days for every P0 and P1 — public-by-default unless customer-specific PHI is involved.
Security disclosure
Reporting a vulnerability
We run a coordinated-disclosure program. Email security@joinplatformhealth.com with details. PGP key + .well-known/security.txt at /.well-known/security.txt. Acknowledgement within 24 hours; remediation timelines negotiated case-by-case. Hall-of-fame credit on this page on request.
Need the long-form security questionnaire?
We'll fill out your CAIQ, SIG-Lite, or custom questionnaire and return it within 5 business days. Email security@joinplatformhealth.com with the doc + your timeline.
Request our security packet