P
PPHrisk

Security & Vulnerability Disclosure

Last updated: June 5, 2026. Effective: June 5, 2026.

We take security of clinical software seriously and welcome reports from security researchers, healthcare IT teams, and users. This page summarizes our security posture and tells you how to report a vulnerability responsibly.

Report a vulnerability

Primary contact: security@pphrisk.com

Please include the following in your report so we can act quickly:

Encrypted submission: if you require encryption, request our PGP key at the email above and we will respond with the current key.

Our commitment to researchers

We commit to:

Scope

In scope:

Out of scope:

Safe-harbor rules

Acting in good faith means:

Security posture

DomainPosture
Transport encryptionTLS 1.3 enforced at edge (Vercel CDN). HSTS preload-eligible. No mixed content.
AuthenticationPasswordless: Supabase Auth issues a one-time 6–10 digit code via email. No plaintext passwords are stored. Sessions are JWT-based and time-bound.
SMART-on-FHIR launchOAuth 2.0 Authorization Code with PKCE. Public client (no client secret). Read-only patient-scoped scopes. No offline_access. Token stored only in browser sessionStorage; destroyed on tab close.
Database accessPostgres on Supabase with Row Level Security enabled on every team table. Access gated by an institutional email-domain whitelist evaluated server-side at policy time.
PHI storageNone. Patient name, MRN, date of birth, address, and phone are never transmitted to or stored on Epigenuity-controlled infrastructure. See the Privacy Policy.
De-identified data storageEncrypted at rest (Supabase standard). Bound to team email domain. Soft-delete via archived_at; hard-delete on request.
LoggingVercel edge access logs retained 30 days. Supabase auth/PostgREST logs retained per Supabase defaults. No PHI in logs because no PHI is processed server-side.
DependenciesMinimal third-party JS: Tailwind CDN, Supabase JS SDK, fhirclient (SMART). All loaded over HTTPS. Subresource Integrity to be added in next maintenance window.
BackupsSupabase daily automated backups, 7-day retention; longer retention available on paid plan as we scale.
Account separationSingle-tenant Supabase project today; multi-tenant isolation via RLS and a planned per-tenant schema once usage warrants.
Patch managementDependency updates reviewed weekly; security updates applied within 7 days of CVE publication.
SOC 2SOC 2 Type II report in progress; estimated completion Q1 2027. Available under NDA after that.

Architecture summary

For technical reviewers, the SMART-on-FHIR architecture is documented in SMART_DEPLOY.md. Key invariants:

Reporting a privacy incident

If you believe Epigenuity has handled personal information in a manner that violates our Privacy Policy, contact privacy@pphrisk.com. For HIPAA-related concerns, contact hipaa@pphrisk.com.

Hall of fame

We thank researchers who have responsibly disclosed issues to us. (List currently empty — be the first.)

PPHrisk is a product of Epigenuity LLC.