Security Overview

Security at Nexus Clinical

Healthcare data deserves healthcare-grade protection. Here’s how we keep your information safe.

πŸ”’

Data Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys and OAuth tokens are encrypted at rest using AES-256-GCM before storage β€” raw secrets never touch the database.

πŸ›‘οΈ

Row-Level Security

Every database table is protected by Supabase Row-Level Security policies. Users can only read and write their own data. Admin operations use a server-side service role that is never exposed to the browser.

πŸ”‘

Authentication

User sessions are managed by Supabase Auth with short-lived JWTs. Passwords are hashed with bcrypt. Role assignments are validated server-side on every privileged request β€” never from client-supplied tokens.

πŸ’³

Payment Security

Payments are processed by Stripe. Nexus Clinical never stores raw card numbers. All fee calculations happen server-side only β€” client-submitted amounts are never trusted.

πŸ“‹

Privacy by Design

Sponsors receive aggregate audience insights β€” never individual attendee contact details. Attendee data is not sold or shared with third parties. IP addresses are hashed (SHA-256) before analytics storage.

πŸ”„

Dependency Security

Dependencies are pinned and reviewed regularly. Security advisories are monitored via GitHub Dependabot. Production builds run in isolated server environments with no direct database access from client code.

Responsible Disclosure

If you discover a security vulnerability in Nexus Clinical, please report it to us privately before disclosing it publicly. We’ll acknowledge your report within 48 hours and work with you on a fix.

security@nexusclinical.com β†’
HIPAA notice: Nexus Clinical is an event discovery and management platform β€” it does not store, process, or transmit protected health information (PHI) as defined under HIPAA. If your organization requires a Business Associate Agreement, please contact us.