Security & Compliance
How we protect your patients' data
HIPAA Compliance
Patient Recall is designed to meet HIPAA requirements for protected health information (PHI):
- Business Associate Agreements (BAA) — Available for all paid plans upon request
- Access Controls — Role-based permissions, secure authentication, automatic session timeouts
- Audit Logging — Complete audit trail of all data access and modifications
- Data Isolation — Multi-tenant architecture ensures complete separation between clinics
Encryption
Data at Rest
All patient data is encrypted using AES-256 (Fernet) encryption before storage. Encryption keys are managed separately and rotated regularly.
Data in Transit
All connections use TLS 1.3 encryption. We enforce HTTPS on all endpoints and use HSTS headers to prevent downgrade attacks.
Infrastructure
- Hosted on Railway — Enterprise-grade infrastructure with 99.9% uptime SLA
- PostgreSQL Database — Managed database with automated daily backups and point-in-time recovery
- US Data Residency — All data stored exclusively in United States data centers
- Regular Security Updates — Dependencies and infrastructure patched continuously
Application Security
- CSRF Protection — All forms protected against cross-site request forgery
- Rate Limiting — Protection against brute force and denial of service attacks
- Secure Session Management — HTTP-only cookies, secure flag, same-site protection
- Input Validation — All user input sanitized and validated server-side
Questions about security?
Our team is happy to discuss our security practices in detail or provide documentation for your compliance review.
Contact Security Team