Security

How we protect your data — updated February 18, 2026

Encrypted

All data encrypted in transit via TLS and at rest in our database

Isolated

Multi-tenant architecture with strict data isolation between clinics

Transparent

Clear data practices — we never sell data or train AI on your information

Infrastructure & Hosting

  • Application hosted on secure, managed cloud infrastructure with automatic scaling
  • Database hosted on Supabase (powered by AWS) with encrypted connections and automated backups
  • All network traffic encrypted with TLS 1.2+ (HTTPS enforced)
  • Database connections use SSL/TLS with connection pooling for performance and security
  • Infrastructure monitored 24/7 with automatic alerting for anomalies

Authentication & Access Control

  • User authentication via Google OAuth 2.0 (SSO) — we never store passwords
  • Session management via secure, signed JWT tokens with automatic expiration
  • Role-based access control: Patient Users can only access their own data; Clinic Admins can manage their clinic's data only
  • Internal API endpoints protected with API key authentication and header-based authorization
  • Admin dashboard access restricted to verified clinic owner email addresses

Data Isolation

  • Multi-tenant isolation: Every database query is scoped to the authenticated user and their clinic. One clinic cannot access another clinic's data under any circumstances.
  • User-level isolation: Patient Users can only read and write their own health data (labs, supplements, protocols, blood pressure, chat history).
  • Clinic-level isolation: Clinic Admins can view aggregate usage and manage users within their clinic only.
  • Foreign key constraints and application-level checks enforce data boundaries at every layer.

AI & Data Processing

  • AI analysis is performed via third-party large language model APIs (processed in real-time, not stored by the AI provider for training)
  • Only the minimum necessary data is sent to AI providers for processing (lab values, relevant context)
  • We do not use your health data to train, fine-tune, or improve any AI models
  • AI responses are generated on-the-fly and delivered directly to the user
  • Chat history is stored in the database and scoped to the individual user

Operational Security

  • Environment variables and secrets are stored securely and never committed to source code
  • API keys are rotated periodically and scoped to minimum required permissions
  • Dependency management with regular security audits and updates
  • Application logging and monitoring for suspicious activity detection
  • Secure development practices including code review and testing before deployment

What We Don't Do

  • We do not sell your data to anyone
  • We do not share health data with advertisers
  • We do not use your data to train AI models
  • We do not store passwords (OAuth only)
  • We do not access patient data without clinic authorization
  • We do not retain data after account deletion (30-day grace period)

Shared Responsibility

Security is a shared responsibility. While we implement robust protections at the platform level, Clinic Customers are responsible for:

  • Securing access to their clinic admin accounts
  • Ensuring appropriate patient consent before uploading data
  • Complying with applicable healthcare regulations in their jurisdiction
  • Training their staff on secure use of the platform
  • Reporting any suspected security issues promptly

Reporting Security Issues

If you discover a security vulnerability or have concerns about our security practices, please contact us immediately:

Nexgen Compute LLC — Security Team

Email: security@healthlabsai.com

We aim to acknowledge reports within 24 hours and resolve confirmed issues promptly.