Security

Encryption

• In transit — all traffic is TLS 1.2 or 1.3. HTTPS Strict Transport Security (HSTS) is enforced with a two-year max-age and includeSubDomains.
• At rest — Postgres, file storage, and backups are encrypted at rest with AES-256 by our cloud provider (Supabase / AWS eu-west-2). Encryption keys are managed by AWS KMS.
• Passwords — Supabase Auth handles all passwords. They are hashed with bcrypt (cost 12) and we never see or store them in plaintext.

Access control

• Multi-tenant isolation by org. Every patient record is bound to a single organisation (GP practice). Server-side queries are scoped by org on every read and write; cross-tenant access is structurally impossible from the application layer.
• Role-based access. Three roles: super-admin (ops only), org admin (clinician), caregiver. A caregiver can only see patients they are explicitly assigned to. A family member can only see the patient whose circle they were invited into.
• Default-deny. A new account has zero data access until an org admin explicitly assigns it.
• Engineering access to production data is limited to named staff under multi-factor authentication. All admin actions are recorded in the audit log.
• Session management. Authentication uses Supabase Auth with JWTs; session tokens refresh every hour and are revocable. Custom JWT claims carry role and org so route-level checks do not require an extra database lookup per request.

Audit log

Every create, update, delete, export, and erasure on patient data writes an immutable audit row containing actor, role, action, entity, before and after snapshots, IP address, user-agent, and request identifier. Audit rows are kept for 7 years. GPs can export the audit history for any of their patients via the in-app Export function.

Data hosting

Our primary instance hosts data on Supabase in the London (AWS eu-west-2) region. Each customer organisation is logically isolated within a single multi-tenant Postgres database; physical isolation between regions is available on enterprise plans.

For data subjects in South Africa, hosting in London constitutes a cross-border transfer under POPIA s.72. We rely on EU adequacy with respect to the UK and on our written processing agreement with Supabase incorporating the Commission's standard contractual clauses. For data subjects in the Philippines, the equivalent mechanism under NPC Circular 16-02 applies.

Backups and recovery

• Automated daily encrypted Postgres backups with 7-day point-in-time recovery (PITR).
• Disaster recovery objective: RPO 24 hours, RTO 4 hours.
• Restore is tested at least quarterly against staging.

Vulnerability management

• Dependencies are scanned automatically; critical security advisories on `next`, `react`, `@prisma/client`, and the Supabase SDKs are patched within 48 hours of disclosure.
• Static analysis (TypeScript strict mode) and pre-merge automated tests gate every change.
• A pre-launch security review by an independent reviewer is conducted before public availability.

Breach notification

If we become aware of a personal data breach we will:

• Notify the relevant regulator within 72 hours (UK GDPR, PH DPA) or "as soon as reasonably possible" (POPIA s.22).
• Notify affected GP practices (data controllers) without undue delay, with the information needed for them to meet their own notification obligations.
• Notify affected data subjects directly where the breach is likely to result in a high risk to their rights or freedoms.

Our internal Breach Notification Policy and runbook are available to GP practice partners on request to security@community-care.app.

Vulnerability reporting

Found a security issue? Email security@community-care.app. Please do not publicly disclose until we've had a chance to investigate. We will acknowledge within 48 hours and provide a status update within 7 days. We do not currently run a paid bug bounty but recognise responsible disclosure on our security page.

Compliance framework

We design our handling of personal and patient data to align with:

• South Africa — Protection of Personal Information Act (POPIA), 2013
• United Kingdom — UK General Data Protection Regulation + Data Protection Act 2018
• Philippines — Data Privacy Act of 2012 (Republic Act 10173)

Privacy and compliance contact: privacy@community-care.app. Information Officer (POPIA, South Africa) and Data Protection Officer (Philippines Data Privacy Act) are registered with their respective regulators; appointed names are published here on confirmation. SOC 2 and ISO 27001 are on the post-launch roadmap; reports will be published here when available.

What we are not

• We are not a medical device. We do not make clinical decisions or interpret readings.
• We are not an emergency service. In an emergency call your local emergency number.