Security at Dental Refer

Encryption

• AES-256-GCM PHI envelope encryption at rest (Phase C runtime-proven)
• TLS 1.2+ in transit (HSTS preload, 63072000 max-age)
• PBKDF2-SHA512 password hashing, 210,000 iterations
• Per-org credential storage encrypted in integration_credentials table

Identity & access

• HttpOnly + Secure + SameSite session cookies
• 30-minute idle timeout, 12-hour absolute maximum
• Optional TOTP-based 2FA per user
• Role-based access control (5 roles + admin)
• Organization-scoped data isolation; org_id derived server-side from session

Audit & integrity

• Immutable, append-only audit_log (PostgreSQL trigger-enforced)
• Hash-chained audit entries (prev_hash chain) — verified daily
• Every PHI read, write, and attachment download audited
• No PHI in audit metadata — only hashed identifiers + scoped action codes

Application security

• Strict TypeScript across all surfaces; Zod validation on all API I/O
• Rate limiting on auth, search, and PHI endpoints
• CSP, X-Frame-Options DENY, Permissions-Policy lockdown
• Active defense: per-session decrypt block + honeypot rotation (Layers 3/4)
• SAST + dependency scanning + secret scanning on every PR

Attachments & file safety

• MIME-type allowlist on upload (image/*, application/pdf, application/dicom)
• Max 50 MB per file
• Virus scan before file is accessible
• Signed URLs with short TTL (15 min) for downloads
• Object storage encryption at rest (R2)

Operations

• Production deploys via Vercel with rollback within 5 min
• Health-check endpoint with PHI key fingerprints and service status
• Incident response runbook with on-call rotation
• Postgres logical backups + point-in-time recovery (Neon)
• No PHI ever in logs, error responses, or external API payloads

Reporting a vulnerability

Email [email protected] with reproduction steps and impact. We acknowledge within 24 hours, triage within 72, and disclose post-fix in coordination with the reporter. We do not currently run a paid bounty program.