Features Security Team Pricing Demo Ask AI Sample Report FAQ
Start Free Trial
Security

Your data is healthcare data.
We engineered for that.

EnrollPilot doesn't bolt security on as an afterthought. Encryption, access control, audit logging, and tenant isolation are in the architecture from day one — and we can prove every claim on this page.

Start Free Trial Request a Demo
AES-256
Encryption
220+
Audit Events
23
Permission Keys
TOTP
Two-Factor Auth
60+
Isolated Models
SOC 2
Infrastructure

How we protect your data

Six layers. Zero hand-waving.

Every claim below is backed by specific implementation details. Click "View technical details" on any section to see the proof.

Encryption

Encryption Everywhere

AES-256-GCM encrypts sensitive fields at the application layer. TLS 1.2+ protects every byte in transit. HSTS is enforced for two years.

AES-256-GCM with 96-bit IV TLS 1.2+ on all connections SSN, TOTP & credentials encrypted S3 SSE-AES-256 at rest
  • Application-layer encryption uses AES-256-GCM with a 96-bit IV and 16-byte authentication tag. The 32-byte key is derived from a 64-hex-character environment variable. A version byte (0x01) in the ciphertext enables future key rotation without downtime.
  • Encrypted fields include: TOTP secrets, Social Security Numbers, provider login passwords, CAQH credentials, and portal passwords. Nullable fields use dedicated encrypt/decrypt wrappers.
  • Transit encryption: HSTS header set to ~2 years with includeSubDomains. Database connections enforce sslmode=require. All S3 presigned URLs use HTTPS. Real-time channels use WSS.
  • Token hashing: Password reset and invite tokens are SHA-256 hashed before storage (raw token emailed). Recovery codes use a dual-hash scheme: HMAC-SHA256 prefix for O(1) lookup, bcrypt for verification.
Authentication

Authentication & MFA

TOTP-based two-factor authentication, bcrypt password hashing with 12 salt rounds, automatic account lockout, and sliding-window rate limiting.

TOTP 2FA with recovery codes bcrypt (12 rounds) Account lockout after 5 attempts Timing-safe comparisons
  • Password policy exceeds NIST SP 800-63B: minimum 12 characters, maximum 128, requires upper + lower + digit + special. Login input capped at 1,000 characters to prevent bcrypt CPU denial-of-service.
  • 2FA implementation: TOTP with SHA-1, 6 digits, 30-second period, +/-1 window for clock skew. TOTP secrets encrypted at rest via AES-256-GCM. 10 recovery codes per setup with dual-hash storage.
  • Lockout: 5 failed attempts triggers a 15-minute lockout via atomic SQL increment (prevents TOCTOU race conditions). 2FA failures also count toward lockout.
  • Rate limiting: Upstash Redis sliding window across all auth endpoints (login, 2FA, forgot-password, invite, org creation). Timing oracle prevention: dummy bcrypt hash used on user-not-found paths for identical ~300ms response time.
  • Session management: JWT + DB-backed sessions. 30-min inactivity timeout (or 7-day with Remember Me). Max 5 concurrent sessions. All sessions invalidated atomically on password reset.
Access Control

Access Control & Permissions

Role-based access with 23 granular permission keys, 11 layered auth guards, and a 3-tier permission cascade. Every server action is protected.

23 granular permission keys 11 layered auth guards 247 files use auth guards 3-tier permission cascade
  • Guard hierarchy: 11 auth guards form a layered chain — requireAuthrequireStaffrequireStaffRolerequireAdmin. 247 server action files import and enforce these guards.
  • Granular permissions: 23 permission keys across 5 categories (Enrollment Cases, Providers, Provider Groups, Documents, Admin Functions). 3-tier cascade: user override > role override > code defaults.
  • Role architecture: Roles live on Membership, not User — the same person can hold different roles in different organizations. READONLY users get only document:download.
  • Defense-in-depth routing: Three layers check access — edge middleware (JWT), server layout (role + subscription), and server actions (auth guards + Zod validation). mustChangePassword blocks all mutations until resolved.
Tenant Isolation

Tenant Data Isolation

Every query, every file, every real-time channel is scoped to your organization. 60+ database models enforce tenant boundaries. Your data never leaks.

60+ models with orgId S3 key prefixed by org orgId from session, never client Real-time channels org-scoped
  • Schema-level isolation: 60+ Prisma models include an orgId column. Every WHERE clause includes orgId from the authenticated session — 129+ occurrences across 60 source files.
  • Session-derived orgId: activeOrgId always comes from the DB-backed session and is validated against the user's membership list. The client cookie value is never trusted directly.
  • File storage: S3 object keys embed orgId in the path prefix: {env}/{orgId}/{category}/{entityId}/{uuid}-{filename}. Nine distinct path namespaces for different document types.
  • Real-time & notifications: Ably channels embed orgId (org:{orgId}:conversation:{id}). SSE notification delivery double-checks orgId match before sending. Cross-org enrollment creation verifies Membership records.
Audit Logging

Audit Logging & Compliance

220+ audit event types across 12 categories. Every write automatically strips PII. Retention policies enforce data lifecycle from creation to deletion.

220+ audit event types Automatic PII sanitization Enforced data retention HIPAA-aligned practices
  • PII sanitization: Every audit write passes through sanitizeAuditMeta() which strips 13+ field types: names, NPIs, emails, phones, DOBs, SSNs, addresses, filenames, URLs, and free text. Violations trigger SECURITY: console warnings.
  • Safe logging: All log context passes through deep redaction. A developer-trap function (UNSAFE_logRequestBody()) throws on any call to prevent accidental request body logging.
  • Demographic tracking: Snapshots captured before updates for immutable compliance records. SSN masked to ***-**-XXXX, DOB to **/**/YYYY. Unknown fields default to hidden (allowlist approach).
  • Retention enforcement: 34 cron jobs manage data lifecycle — expired sessions (hourly), AI suggestions (90 days), AI usage logs (180 days), orphaned S3 objects (24 hours), email retry records (7-30 days).
Infrastructure

Infrastructure & Hardening

Vercel Pro with strict security headers and CSP. Neon PostgreSQL with SOC 2 Type II compliance. AWS S3 with versioning, lifecycle policies, and all public access blocked.

Content Security Policy SOC 2 Type II (Neon) S3 versioning + Glacier archival 7 strict security headers
  • Security headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy disables camera/microphone/geolocation/payment, X-Powered-By suppressed.
  • CSP: default-src 'self', frame-ancestors 'none', base-uri 'self', form-action 'self'. Script and connect sources are strictly whitelisted.
  • AWS S3: All public access blocked (4 checkboxes). IAM least-privilege policy (only Put/Get/Delete/List). Versioning enabled — deletes create markers (soft delete). Glacier Instant Retrieval after 30 days for noncurrent versions.
  • Database resilience: Retry with exponential backoff (max 3 retries, random jitter). Circuit breaker opens after 3 consecutive failures, 30-second cooldown. 30-second statement timeout. Connection pooling via PgBouncer.
  • XSS prevention: 8 documented uses of dangerouslySetInnerHTML, each with a security justification. Custom HTML sanitizer (255 lines) with 50+ allowed tag whitelist, URI scheme blocking, CSS expression blocking, null byte stripping, and 38+ test cases.

20+ Data Transfer Objects filter what reaches the browser

Password hashes, SSNs, internal object keys, and PII are stripped at the DTO layer before any data touches the frontend. Portal-facing DTOs enforce stricter field exclusion than staff-facing ones.

passwordHash SSN objectKey DOB bankAccount authSecrets

Compliance Posture

Built for healthcare requirements

EnrollPilot's security controls are designed around the specific requirements of credentialing organizations handling sensitive provider and patient-adjacent data.

HIPAA Compliance

HIPAA-Aligned Infrastructure

All data encrypted at rest (AES-256) and in transit (TLS 1.2+). Role-based access controls enforce minimum necessary access. PII sanitized from logs. Demographic change tracking with immutable snapshots.

SOC 2 Certification

SOC 2 Type II Partners

Our database provider (Neon PostgreSQL) maintains SOC 2 Type II compliance. Compute and edge infrastructure runs on Vercel Pro. Document storage on AWS S3 with encryption, versioning, and lifecycle policies.

Data Lifecycle

Automated Data Lifecycle

34 cron jobs enforce retention policies automatically. Expired sessions purged hourly. AI-generated content purged at 90 days. Orphaned files cleaned within 24 hours. No manual intervention needed.

Questions? Let's walk through it together.

We'll answer your security team's questions, share implementation details, and demonstrate controls live. No NDAs required for the conversation.

Start Free Trial Request a Demo