Documentation

Security

ChartInsight is built with security and compliance at its core, providing HIPAA-compliant handling of sensitive medical records.

Authentication

Login Methods

Email/Password:

  • Secure password requirements enforced
  • Password strength validation
  • Secure password hashing (bcrypt)

Google OAuth:

  • Single sign-on with Google accounts
  • No password to manage
  • Uses OAuth 2.0 protocol

Multi-Factor Authentication (MFA)

Email-Based Verification:

  • Verification code sent to registered email
  • Required on login when MFA is enabled
  • Code expiration for security

MFA Flow:

  1. Enter email and password
  2. System detects MFA is enabled
  3. Verification code sent to email
  4. Enter code to complete login
  5. Session established

Resend Codes:

  • Request new code if original not received
  • Previous codes invalidated
  • Rate limiting prevents abuse

Password Reset

  • Secure reset link sent to email
  • Links expire after set period
  • Old password not required (for forgotten passwords)

Account Lockout

  • Activated after multiple failed login attempts
  • Protects against brute-force attacks
  • Automatic unlock after timeout period

Authorization

Role-Based Access Control (RBAC)

PermissionCapabilities
manage_filesUpload, edit, delete medical records
manage_organizationTeam settings, templates, invitations
manage_billingPayment methods, invoices
manage_apiAPI keys, integrations

Permission Assignment

  • Admins assign roles to team members
  • Users can have multiple permissions
  • Permissions checked on every operation

Per-Record Permissions

  • Record sharing controls who can access
  • Sharing options: Private, Team-wide, Specific users
  • Uploader always retains access

Team-Level Roles

  • Permissions scoped to specific teams
  • Users in multiple teams have separate roles per team
  • Role changes take effect immediately

Data Privacy

HIPAA Compliance

ChartInsight is designed for HIPAA compliance:

  • Administrative safeguards (access controls, audit logs)
  • Physical safeguards (secure data centers)
  • Technical safeguards (encryption, access controls)

Encryption

Data at Rest:

  • All stored data encrypted using AES-256
  • Database encryption enabled
  • File storage encryption

Data in Transit:

  • TLS 1.3 for all connections
  • HTTPS enforced for web traffic
  • Encrypted API communications

Data Retention

  • Configurable expiration dates per record
  • Automatic erasure at expiration
  • Warning emails before scheduled erasure
  • Manual erasure available on demand

Data Deletion

  • Permanent deletion when requested
  • Source files removed
  • Generated content removed
  • Audit trail maintained for compliance

Privacy-First Design

  • Sensitive fields marked with data-private attribute
  • Privacy-conscious logging (PII excluded)
  • Minimal data collection

Security Features

Rate Limiting

  • API endpoints rate-limited
  • Prevents abuse and DoS attacks
  • Fair usage across all users

Security Headers

  • CORS – Cross-Origin Resource Sharing controls
  • CSP – Content Security Policy
  • HSTS – HTTP Strict Transport Security
  • X-Frame-Options – Clickjacking protection
  • X-Content-Type-Options – MIME sniffing protection

Cookie Security

  • HttpOnly – prevents JavaScript access
  • Secure – HTTPS only transmission
  • SameSite – CSRF protection
  • Session cookies with expiration

Anti-Malware

  • ClamAV integration for virus scanning
  • Uploaded files scanned before processing
  • Malicious files rejected

Vulnerability Management

  • Regular dependency updates
  • Automated vulnerability scanning in CI/CD
  • Security patches applied promptly

Audit & Compliance

Audit Logging

  • Login attempts tracked
  • Record access logged
  • Administrative actions recorded

Access Reports

  • See who accessed records
  • Download and sharing activity
  • User invitation history

Compliance Features

  • Data export capabilities
  • Retention policy enforcement
  • Deletion verification

Security Best Practices

For Users

  • Enable MFA for your account
  • Use strong, unique passwords
  • Log out when using shared computers
  • Review sharing settings regularly
  • Report suspicious activity

For Administrators

  • Regularly review team membership
  • Revoke access for departed team members
  • Monitor for unusual activity
  • Keep billing information current
  • Review and rotate API keys

Incident Response

Reporting Security Issues

  • Contact [email protected]
  • Provide detailed description
  • Include steps to reproduce (if applicable)

Response Process

  1. Issue acknowledged within 24 hours
  2. Investigation initiated
  3. Fix developed and tested
  4. Patch deployed
  5. Affected users notified (if applicable)

Certifications & Standards

Trust Center

Visit our Trust Center for up-to-date security documentation, compliance certifications, and policies.

Current

  • HIPAA compliant design
  • SOC 2 Type II (in progress)
  • PCI-compliant payment processing (via Stripe)

Infrastructure

  • AWS cloud infrastructure
  • Data centers in USA
  • Redundant storage and backups

Updated 5 months ago