Security

SOC 2 Type II — audit in progress

EquaSched is preparing for SOC 2 Type II certification covering the Security, Availability, and Confidentiality trust service criteria. Report expected Q2 2027. If your procurement process requires a current SOC 2 report, contact us — we can provide our readiness documentation and share our audit timeline.

SOC 2 Type II (infrastructure) — Supabase

Our database provider, Supabase, holds SOC 2 Type II certification. Customer data at rest is stored in Supabase on AWS US East (N. Virginia).

PCI-DSS (payments) — Paddle

Payments are processed by Paddle (Merchant of Record), which is PCI-DSS Level 1 certified. EquaSched never handles or stores card data.

Row-Level Security (RLS) — database enforced

Multi-tenant isolation is enforced at the PostgreSQL level via RLS policies. One clinic cannot access another clinic's data even if the application layer were misconfigured. Verified by independent security audit (May 2026).

Role-based access control (RBAC)

Admin and staff roles with distinct permissions. Staff members see only their own shift assignments; admins manage the full clinic schedule.

SSO / SAML — Enterprise roadmap (Q1 2027)

Single sign-on via SAML 2.0 / OIDC (Okta, Azure AD, Google Workspace) is planned for the Enterprise tier in Q1 2027. If SSO is required for your procurement, contact us to discuss timeline and early access.

JWT authentication with short-lived tokens

All API requests require a signed JWT. Tokens expire and refresh automatically. Supabase Auth handles token issuance; JWTs are verified on every backend request.

DLP / PHI pattern detection

All free-text inputs (staff notes, shift descriptions) are scanned for PHI patterns (MRN, SSN, DOB, ICD-10 codes, patient name + diagnosis combinations) before storage. Inputs containing detected PHI are rejected with HTTP 422 and an explanatory message.

Rate limiting on all endpoints

All API endpoints are rate-limited (120 req/min general, stricter limits on authentication and bulk import). Implemented via slowapi / Redis token bucket.

Bot protection at signup (Cloudflare Turnstile)

Account creation is protected by Cloudflare Turnstile, a privacy-preserving challenge that does not use tracking cookies. Disposable email domains are blocked.

Security headers

HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy are set on all responses. CSP is configured to restrict script sources.

Independent security audit (May 2026)

An independent security review identified 2 critical and 4 high-severity findings (IDOR, missing rate limits). All findings were remediated and verified before launch. Audit report available under NDA on request.

99.5% uptime target (formal SLA: Enterprise roadmap)

We target 99.5% monthly uptime. A formal SLA with financial remedies is planned for the Enterprise tier in Q3 2026. Enterprise customers can request a draft SLA addendum before general availability.

Breach notification within 72 hours

We will notify affected customers within 72 hours of becoming aware of a personal data breach affecting their clinic's data. Notification includes nature of the incident, data affected, and remediation steps.