Security roadmap
Below is an honest account of where our security posture stands today and what we're working on next. We do not name any certification on this site until it has been audited.
What we have done
- TLS 1.2+ in transit on every request to the application and the database.
- Encryption at rest on the production database (Supabase / AWS-managed Postgres with disk-level encryption).
- Row-Level Security (RLS) on all tables holding patient-entered data; service-role keys live only in backend secrets, never in the browser bundle.
- Append-only audit log on patient-facing actions (PHI reads and writes).
- OAuth-based authentication (email/password and magic link).
- Public Safety Card share links default to time-limited and revocable.
What is in progress
- Server-side API layer in front of every PHI path (moving provider reads/writes off direct browser ↔ Supabase calls).
- Single Sign-On (SAML/OIDC) for provider tenants.
- Penetration testing engagement and follow-up remediation.
- SOC 2 Type I readiness work.
- HIPAA program documentation and Business Associate Agreement template for healthcare partners.
What we will not say until it is true
- "SOC 2 certified" — until we have a signed report.
- "HIPAA-compliant" — until our program is documented and a BAA is in place.
- "Enterprise security" — that's marketing language, not a control. We name the actual controls above.
Reporting a vulnerability
If you believe you have found a security issue, please email security@whatsinme.life. We will acknowledge receipt within two business days and coordinate disclosure with you.