Security overview

1. Encryption

• TLS 1.2+ for all data in transit. HSTS with preload on production domains.
• AES-256-GCM at rest (managed by the database and object-storage providers).
• Envelope encryption via AWS KMS with customer-managed keys for enterprise tenants (Scale plan).
• Backups are encrypted with the same controls and keys.

2. Tenant isolation

Every record belongs to exactly one clinic. A clinic_idcolumn is present on every table holding clinic data and is enforced by Postgres row-level security policies. Every database session sets the current clinic identifier before any query runs; queries that do not match the session’s clinic return zero rows.

Cross-tenant access attempts are tested in the CI test suite and reviewed on every schema change.

3. Authentication and access

• Password hashing with bcrypt (cost 12). Passwords are never logged.
• Multi-factor authentication (TOTP) is supported and mandatory on the Clinic and Scale plans.
• SSO (SAML 2.0) and SCIM user provisioning are available on the Scale plan.
• Session tokens are short-lived JWTs; refresh tokens can be revoked at any time.
• Role-based access control — Owner, Admin, Practitioner, Front desk, Read-only — limits what each user can see and do.

4. Audit logging

Every read and write of patient data is recorded with actor, action, resource, before/after diff, IP and user agent. Clinic owners and admins can review their own audit log in-app. Logs are retained for at least six years or the period required by your jurisdiction, whichever is longer.

5. Infrastructure

• Hosted on AWS in the region your clinic selects (AU, EU, US).
• Production networks are isolated; databases are not publicly routable.
• Infrastructure is provisioned via Terraform and peer-reviewed.
• Least-privilege IAM with mandatory MFA for all staff with production access.

6. Backups and disaster recovery

• Automated point-in-time backups with a 35-day window.
• Cross-AZ replication on the primary database.
• Recovery drills run at least quarterly.
• Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 15 minutes.

7. Secure development

• All changes via pull request, reviewed by at least one other engineer.
• Automated dependency scanning and SAST on every PR.
• Dependabot + Renovate for timely security updates.
• Production deployments via immutable builds; no manual SSH.

8. Penetration testing

We engage an independent security firm for an annual external penetration test. Summary letters are available under NDA on the Clinic and Scale plans. Critical findings are remediated to a written timeline.

9. Compliance posture

10. Incident response

We operate a written incident-response runbook and conduct tabletop exercises every six months. If we become aware of a personal-data or PHI breach, we will notify affected customers without undue delay and in any case within 72 hours, following the process in our Data Processing Addendum.

Report a suspected issue to security@emedicalplatform.com. PGP key available on request.

11. Vulnerability disclosure

We welcome reports from security researchers. Please report vulnerabilities privately to security@emedicalplatform.com. Do not test on production data, do not attempt to access data belonging to other customers, and do not run automated scanners that degrade service. We will acknowledge within 3 business days and provide status updates until resolution.

12. Contact

Security team: security@emedicalplatform.com
Status: status.emedicalplatform.com