Security at OpsSight

Vercel — SOC 2 Type II

Application hosting and serverless compute. Vercel holds an active SOC 2 Type II certification covering security, availability, and confidentiality.

Supabase — SOC 2 Type II + ISO 27001

Database, authentication, and file storage. Supabase holds both SOC 2 Type II and ISO 27001 certifications. Data is stored on AWS us-east-1 (US region).

AES-256 Encryption at Rest

All data stored in Supabase is encrypted at rest using AES-256. Stored credentials (e.g., email ingestion keys) use AES-256-GCM encryption applied at the application layer.

TLS 1.2+ Encryption in Transit

All data in transit is encrypted using TLS 1.2 or higher. Plain HTTP connections are automatically redirected to HTTPS.

US-Only Data Residency

All data is stored exclusively in US-based data centers (AWS us-east-1). No agency data is replicated or stored outside the United States.

Infrastructure Isolation

Each environment (production, staging) is fully isolated. Production databases are not accessible from staging or development environments.

JWT-Validated Authentication

All server-side requests validate sessions using Supabase Auth's getUser() — cryptographic JWT verification on every request, not session cache lookups.

Role-Based Access Control

Two roles per agency: Admin and Viewer. Write operations (imports, config changes, data edits) require Admin. All role checks use UPPERCASE enum values enforced at the API layer.

Agency-Scoped Multi-Tenancy

Every database query is filtered by agency_id. It is architecturally impossible for one agency to read or modify another agency's data.

CSRF Protection

All mutating API endpoints (POST, PUT, DELETE) validate Origin and Referer headers to prevent cross-site request forgery attacks.

Rate Limiting

Authentication endpoints are limited to 5 requests per 15 minutes. API endpoints have separate rate limits enforced via distributed PostgreSQL-backed counters.

Security Headers

All routes — including API routes — serve a hardened set of HTTP security headers including X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

Safe Error Handling

API error responses never expose stack traces, internal error messages, or implementation details to clients. All errors are routed through a safe error handler before responding.

Timing-Safe Comparisons

Secret comparisons (API keys, cron secrets, webhook signatures) use constant-time comparison functions to prevent timing-based secret extraction attacks.

Hard Agency Isolation

Agency isolation is enforced at the query level via Prisma ORM. Every query includes agency_id as a filter condition — not just access control logic that could be forgotten.

Minimum Necessary Data Access

All Prisma queries use field projections (select) — only the specific fields needed for each operation are fetched. The full 90-field Incident record is never fetched unless explicitly required.

Comprehensive Audit Logging

All data access and mutations are logged with actor, timestamp, agency, and operation type. Audit logs are retained for 6 years in compliance with HIPAA retention requirements.

Encrypted Credential Storage

Agency integration credentials (email ingestion keys, webhook secrets) are encrypted with AES-256-GCM before storage. Encryption keys are stored as environment secrets, not in the database.

Session Management

Sessions are managed by Supabase Auth with configurable timeout. Sessions are invalidated on logout and expire automatically on inactivity.

Webhook Signature Verification

Inbound webhooks (Resend email ingestion) are validated using HMAC signature verification. Requests without valid signatures are rejected before any processing occurs.

Safe Harbor De-identification

Before any data is sent to external AI services, OpsSight applies HIPAA Safe Harbor de-identification — all 18 Safe Harbor identifiers are redacted from the data.

18 Identifiers Redacted

Names, dates (except year), geographic data below state level, phone numbers, fax numbers, email addresses, SSNs, medical record numbers, health plan numbers, account numbers, certificate numbers, VIN numbers, device identifiers, URLs, IP addresses, biometric identifiers, photos, and unique identifying numbers.

PHI Never Sent to AI in Identifiable Form

The AI processing pipeline only ever receives de-identified operational data. PHI is redacted before the API call and rehydrated after — Anthropic never sees a patient's name, date of birth, or other identifying information.

6-Year Audit Retention

All data access events are logged with actor, timestamp, and operation. Logs are retained for 6 years, meeting HIPAA's required retention period for business associate records.

Minimum Necessary Standard

API queries and UI requests only fetch and display the minimum data fields required for the operation being performed — consistent with HIPAA's minimum necessary standard.

Breach Notification Procedures

OpsSight maintains breach notification procedures per HIPAA requirements. In the event of a suspected breach, we will notify affected agencies within the required 60-day window.

Most Imports Use Zero AI

After the first AI-assisted import of a given file format, OpsSight learns the template and all subsequent imports of the same format are processed deterministically with no external API calls.

Anthropic Does Not Train on API Data

Anthropic's commercial API terms explicitly prohibit using API inputs to train models. Data sent to the Claude API is not retained or used for model training.

AI Processes Only Operational Data

The AI receives column headers and de-identified field values sufficient to understand the file's structure. It never receives patient names, dates of birth, or other PHI.

Full Audit Trail on AI-Assisted Imports

Every AI-assisted import is logged in the audit trail with the import ID, timestamp, and agency. You can identify exactly which imports used AI processing.