Data Security at Therify

Last updated October 1, 2024

Therify implements industry-standard security measures through Supabase's enterprise-grade infrastructure, complemented by our HIPAA compliance protocols.

1. Authentication Security
‍
Passwordless Authentication Protocol
Implementation of Supabase Auth utilizing secure passwordless authentication:
- Email-based verification system eliminating password-related vulnerabilities
- One-time magic link authentication
- Cryptographically secure token generation
- Time-limited authentication links
- Protection against email enumeration attacks
- Rate limiting on email verification attempts
- Automatic invalid token cleanup

Session Management
- Secure session tokens using JWT (JSON Web Tokens)
- Configurable session duration
- Automatic session termination upon security events
- Real-time session invalidation capabilities
- Email-based session recovery protocols

2. Data Storage and Encryption
‍
At-Rest Encryption
- All data at rest encrypted using AES-256 encryption
- Database encryption through PostgreSQL's native encryption capabilities
- Encryption key management through AWS KMS (Key Management Service)

In-Transit Encryption
- TLS 1.2+ encryption for all data in transit
- Forced HTTPS connections
- Perfect Forward Secrecy (PFS) enabled
- Regular SSL/TLS certificate rotation

3. Infrastructure Security

Database Protection
- Row-Level Security (RLS) policies enforced at the database level
- Automated backup systems with encryption
- Regular security patches and updates
- Continuous monitoring and threat detection

Network Security
- Web Application Firewall (WAF) implementation
- DDoS protection
- IP whitelisting capabilities
- Regular security scanning and penetration testing

4. Compliance and Certification

Standards Adherence
- Continuous compliance monitoring

‍Data Privacy
- PHI handling in accordance with HIPAA requirements
- Data minimization principles
- Strict access controls and audit logging
- Secure data deletion protocols

5. Access Control

Administrative Controls
- Role-based access control (RBAC)
- Principle of least privilege enforcement
- Regular access review and certification
- Comprehensive audit logging of all access events

‍Technical Controls
- IP-based access restrictions
- Multi-factor authentication capability
- Automated account lockout procedures

6. Incident Response

Security Monitoring
- 24/7 infrastructure monitoring
- Real-time security alerts
- Regular security assessments

‍Incident Management
- Documented incident response procedures
- Dedicated security response team
- Regular incident response testing
- Client notification protocols

7. Business Continuity

Disaster Recovery
- Regular backup procedures
- Geographically distributed redundancy
- Documented recovery procedures

‍Service Reliability
- High availability infrastructure
- Automated failover capabilities
- Regular performance monitoring
- Scheduled maintenance windows

8. Updates and Maintenance

Security Updates
- Regular security patches
- Automated vulnerability scanning
- Scheduled maintenance periods
- Change management procedures

‍Documentation
- Regular policy reviews
- Updated security procedures
- Employee training programs