Security & Compliance

Your health data deserves the highest level of protection. Here's how we keep your information safe and compliant with healthcare regulations.

Our Commitment to Security

LabSense Health handles Protected Health Information (PHI) with the utmost care. We've implemented enterprise-grade security measures, follow HIPAA compliance requirements, and maintain transparent practices to earn and keep your trust.

HIPAA-Aligned Controls

We implement HIPAA-aligned administrative, physical, and technical safeguards for handling Protected Health Information (PHI). Formal HIPAA compliance depends on deployment configuration and signed BAAs with vendors.

View detailed HIPAA compliance

Data Encryption

At Rest (Stored Data)

All data stored in our databases is encrypted using AES-256 encryption, the same standard used by banks and government agencies. This includes your lab reports, personal information, and all health records.

In Transit (Data Transfer)

All data transmitted between your device and our servers uses TLS 1.3 encryption. This ensures that your data cannot be intercepted or tampered with during transmission.

Authentication & Authorization

Secure Authentication

We use Supabase Auth with industry-standard JWT tokens for secure user authentication. We support email/password login and secure password resets.

Row-Level Security (RLS)

Every database query is protected by Row-Level Security policies. This means users can ONLY access their own data - even if someone gained unauthorized access to the database, they couldn't read others' information.

Session Management

Sessions use short-lived access tokens with refresh tokens for continuity. Signing out clears the active session on the current device.

Storage Security

Supabase Storage with RLS (when enabled)

When file storage is enabled, lab report files are stored in Supabase Storage buckets with Row-Level Security policies. Each file is only accessible to its owner or authorized share recipients.

Signed URLs (when enabled)

File access uses cryptographically signed, time-limited URLs. These URLs expire automatically, preventing unauthorized long-term access to your files.

Audit-Ready Logging

Access events are logged with detailed metadata to support audits:

Timestamp of access
User or system that accessed the data
Type of action (read, write, delete, share)
IP address and device information

Audit logs are retained for 7 years to meet HIPAA requirements and are available for your review at any time.

Third-Party Service Providers

We work with trusted, HIPAA-compliant service providers:

Supabase (Database & Storage): HIPAA-eligible infrastructure, enterprise-grade security, SOC 2 Type II certified
AI Processing: Data is sent only for processing and not stored. Covered by strict security requirements
Razorpay (Payments): PCI DSS compliant payment processor. We do NOT store credit card information

Data Retention & Deletion

You have full control over your data:

Delete individual reports anytime
Export all your data (JSON or CSV format)
Delete your account and all associated data permanently

When you delete data, it's permanently removed from our systems within 30 days. Audit logs are retained for compliance purposes only.

Incident Response

We have a comprehensive incident response plan:

24/7 monitoring for security threats
Immediate notification to affected users in case of breach
Coordination with law enforcement when necessary
Post-incident reviews and security improvements

Report Security Issues: If you discover a security vulnerability, please email security@labsense.health immediately. We take all reports seriously and will respond within 24 hours.