# Security ChartInsight is built with security and compliance at its core, providing HIPAA-compliant handling of sensitive medical records. ## Authentication ### Login Methods **Email/Password:** * Secure password requirements enforced * Password strength validation * Secure password hashing (bcrypt) **Google OAuth:** * Single sign-on with Google accounts * No password to manage * Uses OAuth 2.0 protocol ### Multi-Factor Authentication (MFA) **Email-Based Verification:** * Verification code sent to registered email * Required on login when MFA is enabled * Code expiration for security **MFA Flow:** 1. Enter email and password 2. System detects MFA is enabled 3. Verification code sent to email 4. Enter code to complete login 5. Session established **Resend Codes:** * Request new code if original not received * Previous codes invalidated * Rate limiting prevents abuse ### Password Reset * Secure reset link sent to email * Links expire after set period * Old password not required (for forgotten passwords) ### Account Lockout * Activated after multiple failed login attempts * Protects against brute-force attacks * Automatic unlock after timeout period *** ## Authorization ### Role-Based Access Control (RBAC) | Permission | Capabilities | | --------------------- | ------------------------------------- | | `manage_files` | Upload, edit, delete medical records | | `manage_organization` | Team settings, templates, invitations | | `manage_billing` | Payment methods, invoices | | `manage_api` | API keys, integrations | ### Permission Assignment * Admins assign roles to team members * Users can have multiple permissions * Permissions checked on every operation ### Per-Record Permissions * Record sharing controls who can access * Sharing options: Private, Team-wide, Specific users * Uploader always retains access ### Team-Level Roles * Permissions scoped to specific teams * Users in multiple teams have separate roles per team * Role changes take effect immediately *** ## Data Privacy ### HIPAA Compliance ChartInsight is designed for HIPAA compliance: * Administrative safeguards (access controls, audit logs) * Physical safeguards (secure data centers) * Technical safeguards (encryption, access controls) ### Encryption **Data at Rest:** * All stored data encrypted using AES-256 * Database encryption enabled * File storage encryption **Data in Transit:** * TLS 1.3 for all connections * HTTPS enforced for web traffic * Encrypted API communications ### Data Retention * Configurable expiration dates per record * Automatic erasure at expiration * Warning emails before scheduled erasure * Manual erasure available on demand ### Data Deletion * Permanent deletion when requested * Source files removed * Generated content removed * Audit trail maintained for compliance ### Privacy-First Design * Sensitive fields marked with `data-private` attribute * Privacy-conscious logging (PII excluded) * Minimal data collection *** ## Security Features ### Rate Limiting * API endpoints rate-limited * Prevents abuse and DoS attacks * Fair usage across all users ### Security Headers * **CORS** – Cross-Origin Resource Sharing controls * **CSP** – Content Security Policy * **HSTS** – HTTP Strict Transport Security * **X-Frame-Options** – Clickjacking protection * **X-Content-Type-Options** – MIME sniffing protection ### Cookie Security * **HttpOnly** – prevents JavaScript access * **Secure** – HTTPS only transmission * **SameSite** – CSRF protection * Session cookies with expiration ### Anti-Malware * **ClamAV integration** for virus scanning * Uploaded files scanned before processing * Malicious files rejected ### Vulnerability Management * Regular dependency updates * Automated vulnerability scanning in CI/CD * Security patches applied promptly *** ## Audit & Compliance ### Audit Logging * Login attempts tracked * Record access logged * Administrative actions recorded ### Access Reports * See who accessed records * Download and sharing activity * User invitation history ### Compliance Features * Data export capabilities * Retention policy enforcement * Deletion verification *** ## Security Best Practices ### For Users * Enable MFA for your account * Use strong, unique passwords * Log out when using shared computers * Review sharing settings regularly * Report suspicious activity ### For Administrators * Regularly review team membership * Revoke access for departed team members * Monitor for unusual activity * Keep billing information current * Review and rotate API keys *** ## Incident Response ### Reporting Security Issues * Contact [security@gemini.legal](mailto:security@gemini.legal) * Provide detailed description * Include steps to reproduce (if applicable) ### Response Process 1. Issue acknowledged within 24 hours 2. Investigation initiated 3. Fix developed and tested 4. Patch deployed 5. Affected users notified (if applicable) *** ## Certifications & Standards ### Trust Center Visit our [Trust Center](https://chartinsight-trust.gemini.legal/) for up-to-date security documentation, compliance certifications, and policies. ### Current * HIPAA compliant design * SOC 2 Type II (in progress) * PCI-compliant payment processing (via Stripe) ### Infrastructure * AWS cloud infrastructure * Data centers in USA * Redundant storage and backups