Security Practices Documentation

1. Data Classification

2. Infrastructure Security

Hosting Environment

• Application Hosting: Vercel (SOC 2 Type II certified)
• Database & Storage: Supabase (SOC 2 Type II, HIPAA-ready)
• AI Processing: Replicate (images only, no PII transmitted)

Data Centers

• Primary: US-based data centers
• All providers maintain physical security controls including:
  • 24/7 security personnel
  • Biometric access controls
  • Video surveillance
  • Environmental controls

3. Data Encryption

In Transit

• All data transmitted via TLS 1.2+ (HTTPS)
• API endpoints enforce HTTPS-only connections
• Certificate management via automated renewal

At Rest

• Database: AES-256 encryption (Supabase managed)
• File storage: AES-256 encryption (Supabase managed)
• Encryption keys managed by cloud provider with regular rotation

4. Access Controls

Application Access

• Practice-level isolation via unique Location IDs
• No cross-practice data access possible
• Session-based authentication for admin functions

Administrative Access

• Database access restricted to service accounts
• No direct production database access for developers
• Audit logging enabled via pgAudit

Third-Party Access

• Vendors access only minimum necessary data
• BAA in place with Supabase (HIPAA compliance)
• BAA in place with GoHighLevel (HIPAA add-on)

5. Data Handling Practices

Collection

• Explicit consent required before photo upload (checkbox)
• Minimum necessary data collection principle
• Clear privacy policy disclosure

Processing

• Photos processed by AI for visualization only
• No facial recognition or biometric template storage
• AI results are cosmetic illustrations, not medical predictions

Retention

• Patient transformation data: 30 days
• Practice account data: Duration of subscription + 30 days
• Financial records: 7 years (legal requirement)
• Server logs: 30 days

Deletion

• Automatic purge after retention period
• Manual deletion available upon request
• Secure deletion (data unrecoverable)

6. Incident Response

Breach Notification

• Discovery to assessment: Within 24 hours
• Notification to affected practices: Within 72 hours
• Notification to individuals (if required): Within 60 days
• Documentation and root cause analysis: Within 30 days

Contact for Security Incidents

• Email: [email protected]
• Response time: Within 24 hours

7. Vendor Management

8. Compliance Framework

HIPAA

• Business Associate Agreement available upon request
• Technical safeguards implemented per Security Rule
• Administrative safeguards documented
• Physical safeguards managed by cloud providers

SOC 2

• Infrastructure providers maintain SOC 2 Type II
• Annual audit reports available from vendors

9. Employee Security

• Background checks for employees with data access
• Security awareness training
• Principle of least privilege for system access
• No local storage of PHI on employee devices

10. Business Continuity

• Database backups: Daily, 30-day retention
• Point-in-time recovery: Available
• Geographic redundancy: Via cloud provider
• RPO (Recovery Point Objective): 24 hours
• RTO (Recovery Time Objective): 4 hours

11. Audit Logging

What We Log

• Database access and modifications (pgAudit)
• API access patterns
• Authentication events
• Administrative actions

What We Don't Log

• Patient names, emails, or phone numbers in application logs
• Full request/response bodies containing PHI
• Credit card or payment details

Log Retention

• Application logs: 30 days
• Audit logs: 1 year

12. Penetration Testing

• Infrastructure providers conduct regular penetration testing
• Application security review conducted annually
• Vulnerability disclosure: [email protected]

Document Control