Security Built for Protected Health Information

Authentication

Passwordless authentication via magic links and WebAuthn passkeys (biometric). No passwords to leak, phish, or forget. JWT-based session management with token revocation.

Access Control

Four roles (Instance Admin, Org Admin, Staff, Viewer) with 39 granular permissions across 8 domains. PHI access is a separate permission dimension: users without explicit PHI access see redacted identifiers. PHI access is granted per user, per organization, and is fully auditable.

User qualifications gate access to regulated operations. Only qualified staff can perform validations, review validations, perform destruction, review destruction, or access financial data.

Audit Trail

Every significant action generates an immutable audit event: actor, timestamp, event type, and metadata. Specimen movements, client changes, agreement signings, validation completions. Exportable as CSV for compliance archival and external review.

Data Isolation

Every database query that touches organization-scoped data includes the organization filter. Row-level security enforces this at the database layer, not just the application layer. No cross-org data leakage. Soft delete with restoration preserves data integrity; hard delete is reserved for HIPAA data removal requests.

Infrastructure

Custom domain SSL with automatic certificate provisioning. Rate limiting on all endpoints. Development bypass headers stripped in staging and production. Background alert tasks for autonomous monitoring of validation deadlines and maintenance schedules.

Compliance Roadmap

An 88-control compliance review has been completed with a structured remediation roadmap targeting SOC 2 and ISO 27001. These are active preparation efforts, not distant aspirations.

Ready to See It in Action?

Book a 15-minute demo.

Book a Demo