How we protect your clinic and patient data
All data transmitted between your browser and MedFlow is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS with preload to prevent downgrade attacks.
All data stored in our database (Supabase, hosted in EU/Ireland) is encrypted at rest using AES-256. Backups are also encrypted.
Row Level Security (RLS) policies ensure complete isolation between clinics. No clinic can ever access another clinic's patients, quotes, messages, or staff data.
Passwords are hashed using SHA-256 with application-level salt before storage. We never store or transmit passwords in plain text. Account lockout activates after 5 failed login attempts.
Sessions expire automatically after 24 hours of inactivity. Logout clears all session data from the browser. Staff sessions expire after 2 hours.
All API keys (Anthropic, Meta, Stripe) are stored server-side only — never exposed in frontend code. Serverless functions validate all inputs and enforce CORS restrictions.
We deploy comprehensive security headers: HSTS, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, and Permissions-Policy restricting camera, microphone, geolocation, and payment access.
In the event of a security incident: (1) We identify and contain the breach within 4 hours, (2) We notify affected clinics within 72 hours as required by GDPR, KVKK, UAE PDPL, and Saudi PDPL, (3) We provide a detailed incident report, (4) We implement remediation measures to prevent recurrence.
If you discover a security vulnerability, please report it responsibly to security@medflowai.io. We take all reports seriously and will acknowledge receipt within 24 hours.
MedFlow is designed to comply with: UK GDPR, EU GDPR, KVKK (Turkey), UAE Federal Data Protection Law, Saudi PDPL, and ePrivacy Directive.
Last security review: 28 March 2026