Security & Compliance

Last updated: February 2026

This page summarizes security practices and operational safeguards used to protect sensitive information. Exact controls may evolve as the platform expands.

1) Security principles

  • Least privilege: access is restricted to what is required for job function.
  • Defense in depth: multiple layers of security controls reduce single points of failure.
  • Auditability: logging and monitoring help detect and investigate abnormal activity.
  • Data minimization: collect and store only what is needed to deliver the service.

2) Encryption

  • In transit: communications are protected using modern TLS encryption when accessing the platform.
  • At rest: stored data is protected using encryption at rest provided by our cloud infrastructure and databases.

3) Authentication and access controls

  • Managed authentication: user sign-in is enforced through a managed identity platform (e.g., Azure AD B2C).
  • Role-based access control (RBAC): administrative actions are limited to authorized roles.
  • Environment separation: development and production environments are separated to reduce risk.

4) Logging, monitoring, and alerting

  • Operational logs support reliability and security investigations.
  • Monitoring may include detection of suspicious authentication or access patterns.
  • Where appropriate, audit trails support accountability for administrative actions.

5) Payments and billing security (Stripe)

  • Subscription payments are processed through Stripe.
  • We do not store raw payment card numbers on our servers.
  • We store only the minimum billing identifiers needed to manage subscriptions (for example, customer or subscription IDs).

For subscription terms, see Terms of Service.

6) Vendor management

  • We use reputable cloud and platform vendors to host and operate the service.
  • Vendors are evaluated based on security posture and suitability for handling sensitive data.
  • We avoid placing sensitive health data into systems that are not intended for that use.

7) Incident response

  • We maintain an incident response approach for investigating and remediating potential security events.
  • Actions may include containment, review, remediation, and post-incident hardening.
  • If notification is required by law or contract, we follow applicable notification requirements.

8) HIPAA-related safeguards

We implement safeguards aligned with HIPAA security principles when handling protected health information (PHI) in applicable workflows. Read more in our HIPAA Notice.

For general privacy practices, see Privacy Policy.