Security

PHI isolation
by architecture.

Currently doesn't bolt security on as an afterthought. Dual-database PHI isolation, session-first access control, scope-based data filtering, and full audit trails are baked into every layer of the platform.

Core Protections

Security at every
layer of the stack.

From database architecture to application logic to user permissions — security decisions are structural, not configurable.

Dual-Database Architecture

Protected health information lives in a dedicated Cloud SQL database with its own access controls. The platform database contains only de-identified, anonymized data.

Separate PHI database (Module1/Cloud SQL) with independent access controls
Platform database holds only de-identified data — never PHI
Shared UUIDs link records across databases without exposing PHI
Database-level isolation — not application-level filtering

Session-First RBAC

Every request resolves a session with scope, permissions, and data filter before any business logic runs. No role strings scattered through application code.

Clerk-managed authentication with MFA support
Session resolves scope, Can flags, and dataFilter automatically
Permission checks via session.can.* — never raw role strings
Four scopes (platform, HIE, provider, patient) with distinct permission sets

Scope-Based Data Filtering

Database queries are automatically filtered by the authenticated user's scope. A provider user physically cannot query another organization's data.

Query-level enforcement — not application-level checks
Platform admins see all organizations
HIE admins see their provider network
Provider users see their org; patients see their records

Audit & Compliance

Every action, transformation, and permission change is logged. Full traceability from raw data input to processed output to user access.

Data transformation logging with before/after snapshots
User action audit trails for all CRUD operations
Role and permission change history
AI-assisted cleaning logged with full transformation context

Infrastructure

Cloud-native
security posture.

Built on Google Cloud Platform with defense-in-depth across compute, storage, networking, and identity layers.

Google Cloud Platform

Hosted on GCP with Cloud SQL for databases, Cloud Run for compute, and Cloud Storage for file staging. All data encrypted at rest and in transit.

Clerk Authentication

Enterprise-grade authentication with multi-factor support, session management, and organization-level user provisioning. Auth state synced to both databases via webhooks.

Encrypted Connectivity

All six connectivity types (GCS, S3, Azure, SFTP, FTP, API) use encrypted transport. Credentials stored securely and connection-tested before activation.

Webhook Verification

Inbound webhooks from Clerk, Stripe, and Linear are signature-verified before processing. No unverified payloads reach application logic.

API Key Management

Service-to-service authentication via API keys with scope-limited access. Keys are revocable and audited independently from user sessions.

Data Minimization

The platform database follows data minimization principles — only what's needed for non-PHI operations. PHI stays isolated in the dedicated health data store.

By Design

Security in numbers.

Isolated Databases

Access Scopes

PHI in Platform DB

100%

Actions Logged

Get started

Transform your
healthcare data infrastructure.

Start processing HL7 messages, ensure data quality, and enable FHIR-based interoperability — all from one platform.

View Features

PHI isolationby architecture.

Security at everylayer of the stack.

Dual-Database Architecture

Session-First RBAC

Scope-Based Data Filtering

Audit & Compliance

Cloud-nativesecurity posture.

Google Cloud Platform

Clerk Authentication

Encrypted Connectivity

Webhook Verification

API Key Management

Data Minimization

Security in numbers.

Transform yourhealthcare data infrastructure.

PHI isolationby architecture.

Security at everylayer of the stack.

Dual-Database Architecture

Session-First RBAC

Scope-Based Data Filtering

Audit & Compliance

Cloud-nativesecurity posture.

Google Cloud Platform

Clerk Authentication

Encrypted Connectivity

Webhook Verification

API Key Management

Data Minimization

Security in numbers.

Transform yourhealthcare data infrastructure.

PHI isolation
by architecture.

Security at every
layer of the stack.

Cloud-native
security posture.

Transform your
healthcare data infrastructure.

PHI isolation
by architecture.

Security at every
layer of the stack.

Cloud-native
security posture.

Transform your
healthcare data infrastructure.