Security

Encryption

• In transit — all traffic is TLS 1.2 or 1.3. HTTPS Strict Transport Security (HSTS) is enforced with a two-year max-age and includeSubDomains.
• At rest — Postgres, file storage, and backups are encrypted at rest with AES-256 by our cloud provider (Supabase / AWS eu-west-2). Encryption keys are managed by AWS KMS.
• Passwords — Supabase Auth handles all passwords. They are hashed with bcrypt (cost 12) and we never see or store them in plaintext.

Access control

• Multi-tenant isolation by org. Every patient record is bound to a single organisation (GP practice). Server-side queries are scoped by org on every read and write; cross-tenant access is structurally impossible from the application layer.
• Role-based access. Three roles: super-admin (ops only), org admin (clinician), caregiver. A caregiver can only see patients they are explicitly assigned to. A family member can only see the patient whose circle they were invited into.
• Default-deny. A new account has zero data access until an org admin explicitly assigns it.
• Engineering access to production data is limited to named staff under multi-factor authentication. All admin actions are recorded in the audit log.
• Session management. Authentication uses Supabase Auth with JWTs; session tokens refresh every hour and are revocable. Custom JWT claims carry role and org so route-level checks do not require an extra database lookup per request.

Audit log

Every create, update, delete, export, and erasure on patient data writes an immutable audit row containing actor, role, action, entity, before and after snapshots, IP address, user-agent, and request identifier. Audit rows are kept for 7 years. GPs can export the audit history for any of their patients via the in-app Export function.

Data hosting

Our primary instance hosts data on Supabase in the London (AWS eu-west-2) region. Each customer organisation is logically isolated within a single multi-tenant Postgres database, with org-scoped queries enforced at the application layer on every read and write.

For data subjects in South Africa, hosting in London constitutes a cross-border transfer under POPIA s.72(1)(a) — the United Kingdom provides a level of protection substantially similar to POPIA via the UK GDPR and Data Protection Act 2018. This is supported by our written processing agreement with Supabase, which incorporates the appropriate standard contractual clauses with the UK Information Commissioner's Addendum. For data subjects in the Philippines, the equivalent mechanism under section 21 of the Data Privacy Act and NPC Circular 16-02 applies.

Backups and recovery

• Automated daily encrypted Postgres backups with 7-day point-in-time recovery (PITR) via Supabase.
• Disaster recovery objective: RPO 24 hours, RTO 4 hours.
• A restore drill is scheduled before public launch and quarterly thereafter.

Vulnerability management

• Dependencies are scanned automatically; critical security advisories on `next`, `react`, `@prisma/client`, and the Supabase SDKs are patched within 48 hours of disclosure.
• Static analysis (TypeScript strict mode) and pre-merge automated tests gate every change.
• A pre-launch security review is conducted against OWASP and SOC 2 readiness checklists before public availability.

Breach notification

If we become aware of a personal data breach we will:

• Notify the relevant regulator within 72 hours (UK GDPR, PH DPA) or "as soon as reasonably possible" (POPIA s.22).
• Notify affected GP practices (data controllers) without undue delay, with the information needed for them to meet their own notification obligations.
• Notify affected data subjects directly where the breach is likely to result in a high risk to their rights or freedoms.

Our internal Breach Notification Policy and runbook are available to GP practice partners on request to security@community-care.app.

Vulnerability reporting

Found a security issue? Email security@community-care.app. Please do not publicly disclose until we've had a chance to investigate. We will acknowledge within 48 hours and provide a status update within 7 days. We do not currently run a paid bug bounty but recognise responsible disclosure on our security page.

Compliance framework

We design our handling of personal and patient data to align with:

• South Africa — Protection of Personal Information Act (POPIA), 2013
• United Kingdom — UK General Data Protection Regulation + Data Protection Act 2018
• Philippines — Data Privacy Act of 2012 (Republic Act 10173)

Privacy and compliance contact: privacy@community-care.app. Information Officer (POPIA, South Africa) and Data Protection Officer (Philippines Data Privacy Act) are registered with their respective regulators; appointed names are published here on confirmation. SOC 2 and ISO 27001 are on the post-launch roadmap; reports will be published here when available.

What we are not

• We are not a medical device. We do not make clinical decisions or interpret readings.
• We are not an emergency service. In an emergency call your local emergency number.