Security

How we keep your clients' data safe.

Plain answers to the questions your CTO and general counsel are going to ask, written by the engineering team. Last reviewed July 2026.

Append-only audit log · hash-chainedSeeded demo data
Who can sign in

Authentication

  • Clerk for production identity. Email + password, magic link, passkey, and Google / Microsoft SSO out of the box. SAML / OIDC available on the Scale plan.
  • Multi-factor authentication required on every admin account; recommended for staff and customers.
  • Session tokens are short-lived (30m) with sliding refresh. Clerk owns the cryptographic primitives; we never see passwords.
  • Internal platform-team admin surface is gated behind a second factor + IP allowlist + per-action audit log.
How money moves

Payments

  • Each clinic is the merchant of record on its own Stripe account. Client funds settle directly to the clinic — we never hold, route, or aggregate money across merchants. We never touch card data either: Elements + tokenized SetupIntents only. PCI scope: SAQ A.
  • Webhook signatures verified on every Stripe callback. Idempotency keys on every PaymentIntent, Refund, and settlement-ledger entry prevent double-charges under retry.
  • Vendors invoice clinics at wholesale and settle net-30 via Modern Treasury ACH — no Stripe-Connect splits. Vendors complete KYB + bank verification before the first disbursement is allowed.
  • Refunds and disbursements are append-only audited. Every attempt — successful or failed — is recorded with the actor, amount, and payment-object id.
HIPAA + state Rx

Client data (PHI)

  • BAAs in place with: Stripe, Postmark, Twilio, Anthropic, OpenAI, Vercel, our managed Postgres provider. Available on request to qualified prospective customers.
  • Per-tenant row-level security on every tenant-scoped Postgres table. A misconfigured query returns zero rows by default; cross-tenant reads are physically prevented at the database layer.
  • State Rx compounding rules live in a structured policy database. Orders that cross a state line check the destination's rules; non-compliant orders block at checkout with a clear message.
  • All data encrypted at rest (AES-256 via Postgres + S3) and in transit (TLS 1.3 only; HSTS preloaded; HTTP→HTTPS at the edge).
  • Client export + deletion endpoints satisfy HIPAA right of access + GDPR right to erasure. SLAs: 30 days export, 90 days deletion (statutory retention exceptions documented).
Paper trail

Audit + observability

  • Every operator-initiated mutation (refund, RMA, status change, ticket reply, subscription pause) writes an append-only audit row. The platform-team admin surface exposes the global feed; tenants see their own.
  • Audit log is hash-chained — tampering with any historical row breaks every subsequent hash, detectable on verification. SHA-256 chain.
  • Sentry for application errors. OpenTelemetry traces for the request → DB → AI provider chain. Logs shipped to a hosted aggregator with 90-day retention.
  • Health endpoints (/api/health, /api/ai/health) ping every required subsystem with per-probe timeouts. 503 returned only when a required subsystem is down — never silent.
Frameworks

Compliance

  • HIPAA — BAAs in place with all subprocessors, technical safeguards (encryption, authentication, audit logs, access controls) implemented; admin training program in development.
  • SOC 2 Type I — readiness audit Q3, expect report by EOY. Vanta for continuous compliance evidence collection.
  • GDPR / CCPA — right of access, right to erasure, opt-out of sale, all wired. Cookie banner on every storefront.
  • Prescriber-aligned dispensing — Rx products are gated behind a licensed clinician review flow. Every dispense is tied to a signed clinician note and a 503A pharmacy of record.
  • Age verification — for restricted categories. 18+ acknowledgement required before any storefront browse on tenants in those categories.
Who sees what

Subprocessors

Complete list, what they process, and BAA status. Updated monthly; subscribe to subprocessor notifications via the footer.

VendorPurposeDataBAA
StripeClinic payments (each clinic’s own account)Cards (tokenized)In place
Modern TreasuryVendor ACH settlement (net-30)Vendor bank info, settlement ledgerNot required
AnthropicAI generation (Claude)Prompts; PHI when in client threadsIn place
OpenAIAI fallback (GPT)Prompts; PHI when in client threadsIn place
GoogleAI fallback (Gemini)Prompts; PHI when in client threadsIn place
PostmarkTransactional + marketing emailEmail addresses, contentIn place
TwilioSMS + voicePhone numbers, contentIn place
EasyPostShipping label generationShipping addressesNot required
Hugging FaceImage generation (FLUX)Prompts only — no PHINot required
ElevenLabsVoice synthesis (concierge)Synthesized audio onlyNot required
HeyGenAvatar videoOperator face / voice samplesNot required
SentryError trackingStack traces, request metadata (no PHI in payloads)In place
SupabaseManaged PostgresAll tenant dataIn place
VercelApplication hostingLogs, metadata; encrypted at restIn place
CloudflareCDN + edgeEdge cache only — no DB writesNot required
ClerkAuthenticationEmail + password hash; MFA tokensIn place
When something breaks

Incident response

  • On-call engineer 24/7. PagerDuty-rotated; first-acknowledge SLA: 5 min for P0, 30 min for P1.
  • Status page at status.joinplatformhealth.com auto-updates from the same health checks the dashboard uses. RSS + email + Slack-webhook subscriptions.
  • Customer notification within 4 hours for any incident affecting tenant data, regardless of root cause.
  • Post-mortems published within 5 business days for every P0 and P1 — public-by-default unless customer-specific PHI is involved.
Security disclosure

Reporting a vulnerability

We run a coordinated-disclosure program. Email security@joinplatformhealth.com with details. PGP key + .well-known/security.txt at /.well-known/security.txt. Acknowledgement within 24 hours; remediation timelines negotiated case-by-case. Hall-of-fame credit on this page on request.

Need the long-form security questionnaire?

We'll fill out your CAIQ, SIG-Lite, or custom questionnaire and return it within 5 business days. Email security@joinplatformhealth.com with the doc + your timeline.

Request our security packet