Security model, plainly stated.

HippoHandover stores small operational identifiers — a coded name, age, sex, location, attending, diagnosis, plan. Free-text fields are user-controlled. The application never asks for legal name, MRN, PHIN, address, or DOB. We treat the entire database as PHI-equivalent: branch-scoped access on every query, audit log on every read, encryption at rest.

• Bcrypt password hashing (cost 12) on every account.
• HTTPS-only with HSTS preload, X-Frame-Options DENY, Cross-Origin-Opener-Policy, full Content-Security-Policy.
• Session cookies are HttpOnly, Secure, SameSite=Lax, 8-hour rolling timeout. Per-device session list with self-serve revoke at /account.
• Optional TOTP MFA (otplib v13) per user.
• Branch-scoped RBAC enforced on every API route. Patients are visible only to users with an active membership in the patient’s specialty branch + site combination.
• Account deletion + data export endpoints (GDPR/PHIA Article 15/17 equivalents).

• In transit: TLS 1.3 via Vercel edge. HSTS max-age 2 years, includeSubDomains, preload.
• At rest: AES-256 on Supabase (Postgres) volumes by default; encrypted off-site backups.
• Patient photos are stored in-database (BYTEA), 1.5 MB cap, content-type-whitelisted, never on a public CDN URL.
• Reset / invite tokens stored as SHA-256 hashes; raw token only ever returned once.

An AuditLog row is written for every patient view, edit, archive, restore, handover generation, handover acknowledgment, role change, invite create/revoke, account delete, and login event. Each row records actor id, actor name, action, entity type, entity id, IP-derived rate-limit fingerprint, device coarse fingerprint, structured metadata, and UTC timestamp. Retention is unbounded by default; admins can apply institutional retention via a scheduled purge.

• RTO (recovery time objective): < 60 minutes for a full service-restore from backup, ≤ 5 minutes for a redeploy of a known-good build.
• RPO (recovery point objective): ≤ 5 minutes against the Supabase point-in-time recovery (PITR) window; ≤ 24 hours against off-site daily backups.
• Uptime SLO: 99.5% rolling 30-day window, with a public live dashboard at /status.
• Incident communication: status-page banner + email to all institution admins within 30 minutes of a P1.

• Vercel — application hosting + edge runtime. Region: iad1 (US East). SOC 2 Type II.
• Supabase — Postgres + realtime broadcast + storage. Region selectable per project. SOC 2 Type II.
• Resend — transactional email delivery (password resets, onboarding, invites). SOC 2 Type II.
• Groq — AI inference for the optional handover-AI feature. Disabled by default; admin must set AI_EXTERNAL_PROVIDER_APPROVED=true per institution policy. We never send PHI fields directly without first asking.

No third-party analytics, no advertising trackers, no marketing pixels. Browser console + Vercel runtime logs are the only telemetry sinks.

• No PHI in URLs, page titles, browser notifications, OG previews, or analytics.
• Cookie consent banner with privacy-preserving defaults; we decline opt-in cookies on the user’s behalf.
• Versioned policy attestation: every “I accept” recorded with timestamp + policy version hash.
• Account deletion + data export endpoints publicly documented at /account.

Procurement and security questions: karimsidhom@outlook.com. Live status: /status. Public policies: /privacy · /terms · /aup · /data-processing.