Last updated: July 2026
HIPAA posture
- PHI masking at ingestion: Safe-Harbor identifiers (names, DOB, MRN,
account, SSN, phone, email) are masked before display or model access. Only masked text is
stored in the working database.
- Minimum necessary: role-based access — coders see only their queue;
supervisors their pod; client data is workspace-isolated (cross-workspace access returns 404,
never confirming existence).
- Audit trail: every case action (view context, allocation, edit, submit,
escalate, dunback) is an append-only event with actor and timestamp, retained 6 years.
Application security
- TLS enforced in production (HSTS, secure cookies).
- Session timeout after 8 hours; sessions end at browser close.
- Password policy: minimum 10 characters, common-password and similarity checks.
- CSRF protection on every state-changing request; clickjacking denied; content-type sniffing disabled.
- LLM calls: masked text only, keys held in environment configuration, never logged.
GDPR
We act as processor for client workspaces. Standard contractual clauses and DPAs available.
Analytics load only after explicit cookie consent; IPs anonymized.
Responsible disclosure
Report vulnerabilities to founders@powersmy.biz.