/security
Security
Practical overview of how gasguide.app protects your data + your patients' data. For deeper diligence (SOC 2 attestation requests, custom DPAs, architecture diagrams), email security@gasguide.app.
Transport security
All traffic served over HTTPS with TLS 1.2+ via Cloudflare edge. HTTP requests are 301-redirected to HTTPS at the edge. HSTS header included on every response (max-age=63072000; includeSubDomains; preload).
Data at rest
User data stored in Supabase (Postgres) with AES-256 encryption at rest. Uploaded documents (credential PDFs, OCR sources) stored in Supabase Storage with server-side encryption + signed-URL access only — no public object URLs.
Authentication
Email + password (bcrypt-hashed by Supabase Auth — we never see plaintext) with TOTP-based multi-factor authentication available on every account. Per-account MFA-required flag enforced for admin accounts + per-organization mandate available on Enterprise tier.
Authorization — Row-Level Security
Every Postgres table in the crna schema has row-level security (RLS) policies. Each policy is scoped to auth.uid() — users can only access their own data. Org-admins access organization-scoped data via membership tables. Admin-platform access requires explicit allowlist (ADMIN_EMAILS env var) AND MFA verification (aal2 session).
Audit logging
Every credential read is logged to crna.credential_views with viewer user ID, IP, user agent, and share-link token if applicable. Logs are retained for 6 years per HIPAA. Admin-platform access is logged in Supabase auth.audit_logs. Share-link views are individually logged with timestamp + viewer fingerprint.
Subcontractors with data access
Production data is processed by these vendors, each under a signed BAA: Supabase (storage + auth), Cloudflare (CDN + DDoS), Resend (transactional email), AWS Textract (OCR — only when enabled). No other third parties have production data access. Analytics platforms (if added) will be self-hosted Plausible-style — never Google Analytics.
Breach notification
Per our HIPAA breach-notification SOP (45 CFR §164.400–414), we notify affected Covered Entities within 10 business days of breach discovery, individuals within 60 days, HHS Secretary contemporaneously for ≥500 affected. Full SOP downloadable at /legal/breach-notification-sop. Internal Security Officer: security@gasguide.app.
HIPAA Business Associate Agreement
Enterprise customers handling Protected Health Information sign our BAA at onboarding (template at /legal/baa-template). The BAA tightens the regulatory 60-day breach-notification window to 10 business days. Covers all subcontractors above. Effective until Service Agreement terminates.
Backups + disaster recovery
Supabase performs daily automatic backups with 7-day point-in-time recovery. Critical files in Supabase Storage have versioning enabled. We run quarterly restore drills (Q1 + Q3). RTO target: 4 hours. RPO target: 24 hours.
Penetration testing + vulnerability management
Quarterly automated dependency scanning via GitHub Dependabot. Annual third-party penetration test scheduled (first scheduled Q3 2026). All security disclosures handled via security@gasguide.app — responsible disclosure rewarded with public credit + thanks (no formal bug bounty $$ yet).
Compliance certifications (roadmap)
Currently: HIPAA-compliant operations + signed BAAs. In progress: SOC 2 Type I (target Q4 2026), Type II (target Q3 2027). Not pursued (yet): HITRUST, FedRAMP. Contact compliance@gasguide.app for current attestation requests.
Security disclosures
Found a vulnerability? Email security@gasguide.app with reproduction steps. We respond within 24 hours, fix within 7-30 days depending on severity, and publicly credit researchers (with consent).
Last updated: .