Security Architecture

Enterprise-grade security for healthcare data

Data Encryption

  • AES-256-GCM encryption for all PHI fields (names, SSN, DOB, contact info)
  • 12-byte random initialization vectors per encryption operation
  • 16-byte authentication tags for integrity verification
  • TLS 1.3 for all data in transit
  • Database-level encryption via Neon PostgreSQL

Authentication & Authorization

  • OAuth 2.0 via Google and GitHub (NextAuth v5)
  • JWT tokens with organization and role claims
  • 6-tier RBAC with middleware enforcement
  • MFA support for all user accounts
  • Session management with configurable expiry

Infrastructure Security

  • Vercel Edge Network with WAF and DDoS protection
  • Content Security Policy (CSP) headers
  • X-Frame-Options, X-Content-Type-Options, Referrer-Policy
  • Strict-Transport-Security with 1-year max-age
  • Multi-tenant isolation at the database query level

AI Security

  • PHI sanitization before any data reaches AI providers
  • Regex-based redaction of SSN, NPI, DOB, email, phone patterns
  • No PHI stored in AI provider systems (OpenAI, Anthropic)
  • Simulation mode for testing without real AI calls
  • Encrypted storage of AI verification results

Audit & Monitoring

  • Immutable audit trail for every data access and modification
  • SHA-256 checksums with timing-safe integrity verification
  • Paginated, filterable audit log with per-entry verification
  • 7-year minimum data retention per HIPAA requirements
  • Real-time anomaly detection for access patterns