PharmPro

Security

Security Overview

PharmPro is built for healthcare organizations that process protected health information. This page describes our encryption, access controls, audit logging, application security, AI security, infrastructure, and secure development practices.

Last updated April 9, 2026/Back to sign in

Overview

PharmPro is a healthcare incident-management platform operated by Brechin Advisors LLC d/b/a PharmPro.ai. The platform processes electronic protected health information (ePHI) and is designed with administrative, physical, and technical safeguards consistent with the HIPAA Security Rule.

This Security Overview summarizes current product controls. It is intended to support customer diligence and should be read together with the Privacy Policy, HIPAA Information page, and your commercial agreement.

Encryption

  • Data is encrypted in transit over HTTPS and related secure transport protocols.
  • Core storage systems for application data, files, and backups use platform-level encryption controls provided by our hosting vendors.
  • Database connections are configured to require encrypted transport.
  • PDF exports and file downloads are served over HTTPS with no-store cache-control headers to prevent browser caching of sensitive documents.

Authentication and session management

  • Passwordless authentication via email magic link, eliminating password-related attack vectors.
  • Sessions are managed through Supabase Auth with server-side token validation.
  • The application includes a fifteen-minute inactivity timeout with a two-minute warning before sign-out.
  • The active-facility cookie is httpOnly, secure, and sameSite=lax.
  • Rate limiting is enforced on authentication endpoints to prevent brute-force attacks.

Access control and data isolation

  • Six-tier role-based access control: viewer, reporter, editor, supervisor, admin, and super admin. Each role has explicitly defined permissions enforced at both the application and database layers.
  • Facility-level data isolation enforced by PostgreSQL Row-Level Security (RLS) policies. Users can only query, view, and modify data from facilities they are explicitly assigned to.
  • Organization-level administration allows authorized administrators to manage multiple facilities within their organization without cross-organization access.
  • Deactivated users are immediately excluded from all data access through explicit deactivation checks in every permission query.
  • All incident record URLs use cryptographically random UUIDs, preventing sequential enumeration.
  • API routes enforce authentication, facility-access verification, and role-permission checks before returning any data.

Audit logging

  • Immutable, insert-only audit log with no update or delete operations permitted at the database level.
  • Every incident action is logged with: actor identity, action type, field-level changes (old value and new value), timestamp, IP address, and user agent.
  • AI interactions are separately logged with prompt context, action type, and user identity.
  • Role assignments, promotions, and deactivations are automatically audit-logged via database triggers.
  • Attachment uploads, downloads, security reviews, and deletions are individually audit-logged.
  • Audit records are retained for a minimum of six years consistent with HIPAA requirements.

Application security controls

  • Email notifications contain secure portal links only. Patient names, incident narratives, and clinical details are never included in email content.
  • File attachments enter a quarantine state upon upload and must pass security review before other users can access them.
  • Attachment storage uses private buckets with signed URLs (one-hour expiry). No public storage buckets are used for customer data.
  • MIME type validation and file-size limits (10 MB) are enforced on all uploads.
  • PDF exports enforce authentication, facility-access verification, and rate limiting before generation.
  • Monitoring and telemetry systems are configured with redaction and masking controls designed to reduce unnecessary transmission of sensitive content.
  • Security headers include HSTS (one year), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, strict Content-Security-Policy, and Cross-Origin-Opener-Policy.

AI security

Lauren uses Anthropic Claude models made available through Azure AI Foundry. AI interactions are scoped to the requesting user’s facility and incident permissions within the application.

  • All AI interactions are recorded in a dedicated audit log with user identity, action type, and timestamp.
  • AI outputs are presented as draft suggestions and require human review before use or reliance.
  • Input sanitization is applied to user-supplied strings before inclusion in AI prompts.
  • AI features respect the same facility-level access controls as the rest of the platform.

Infrastructure and vendor security

  • Application hosting is provided through Vercel.
  • Database, authentication, and file storage are provided through Supabase with Row-Level Security policies in the data layer.
  • AI processing for Lauren is routed through Azure AI Foundry-hosted Anthropic Claude model infrastructure.
  • Transactional email is delivered through Resend using secure-link notification patterns.
  • Voice intake, when enabled, is handled through Bland AI workflow infrastructure.
  • Monitoring and observability tooling includes Sentry, and product analytics tooling includes PostHog.
  • Payment processing is handled through Stripe.

Secure development practices

  • TypeScript strict mode with noUncheckedIndexedAccess enabled across the entire codebase.
  • Automated quality gates on every commit: type checking, ESLint, and custom guardian checks enforcing file-size limits, function-length limits, and code-quality rules.
  • Automated test suite (Vitest + Testing Library) with critical-path coverage.
  • Dependency review plus repository-aware security scanning in CI, with GitHub-native CodeQL enabled where repository licensing supports it.
  • Protected staging and main branches enforced with GitHub rulesets requiring passing checks before merge.
  • Staged deployment flow: changes are promoted through staging verification before production release.

Incident response

PharmPro maintains documented breach-notification and incident-response procedures. In the event of a confirmed security incident involving ePHI, we will notify affected customers in accordance with the BAA and applicable law.

  • Report security vulnerabilities or concerns to security@pharmpro.ai.
  • HIPAA and privacy inquiries: privacy@pharmpro.ai
  • General support: support@pharmpro.ai

Customer diligence

Customer-specific security documentation, vendor questionnaire responses, or additional technical details may be provided during diligence, onboarding, or procurement. Contact us to request additional information about our security program.