Encrypted before it lands. Audited after it leaves.

• Patient PHI in EOBs, denial reasons, claim IDs, letter narratives.
• Provider credentials — payer portal logins, NPI/tax-ID combinations, signature blocks.
• Practice business data — contracted rates, revenue figures, denial backlogs.
• Subscriber payment information — held exclusively by Stripe (we never see card numbers).

• Narrative PHI — encrypted with libsodium crypto_secretbox(XSalsa20+Poly1305) before insert. Master key in our hosting provider's environment, never in Postgres. Database compromise yields ciphertext only.
• Structured PHI (patient_id_token, claim_id) — Postgres column-level pgcrypto, practice-keyed.
• Payer credentials — Supabase Vault (AES-256), reference-only in DB.
• Letter PDFs — Supabase Storage default AES-256, accessed only via signed URLs with 60-minute expiry, every generation logged.
• In transit — TLS 1.2+ everywhere, HSTS preloaded.
• Backups — Supabase encrypted snapshots, 30-day retention.

• Supabase Auth with optional MFA (mandatory for owner role).
• Row-Level Security on every PHI-bearing table — a user can only read rows where their practice_id is in practice_members.
• Append-only audit_log table; database trigger blocks UPDATE/DELETE.
• Least-privilege role hierarchy: viewer < biller < admin < owner.

We design against the eight scenarios most likely to cost a practice its accreditation:

1. Database compromise — defended by libsodium ciphertext.
2. Insider misuse / account takeover — RLS + MFA + audit log.
3. Lateral movement — server-side API keys, signed webhooks.
4. Supply chain — lockfile, Dependabot, no transitive postinstall scripts.
5. Accidental PHI commit to git — pre-commit PHI scan.
6. PDF leakage via predictable URLs — signed-URL only, 60-minute expiry.
7. Fax misroute — recipient pulled from playbook, not user input; confirmation modal required.
8. Algorithmic feedback loop — outcome data anonymized and aggregated before any pattern training.

• HIPAA-aligned. Business Associate Agreement available on request — see BAA template.
• SOC 2 Type 2 in progress — target Q4 2026.
• Annual third-party penetration test on the appeal-letter pipeline.

1. Detection — Supabase observability + Vercel logs + Stripe alert webhooks.
2. Containment — owner-role Kill Switch disables all submissions instantly.
3. Notification — HIPAA Breach Notification Rule timelines (60 days; immediate + media for breaches ≥500).
4. Documentation — every incident gets a private post-mortem with timeline, scope, mitigation.