Transport & storage
- All traffic is encrypted in transit (TLS 1.2+).
- Data is stored in managed Postgres with encryption at rest.
- Row-level security policies ensure clinic data is only accessible to that clinic's authenticated providers.
Access controls
- Each provider authenticates with their own credentials.
- Clinic admins can invite, revoke, and manage providers in their workspace.
- Service-role credentials are never exposed to the client.
AI processing
- Inputs you submit for AI generation are sent to model providers only to produce the requested output.
- We do not use your clinical inputs to train third-party foundation models.
Compliance posture
RehabFlow AI is built with security and patient-data sensitivity in mind. We do not currently market ourselves as HIPAA-compliant. If your workflow requires a Business Associate Agreement (BAA), please contact us before storing protected health information.
Provider responsibilities
Providers and clinics remain responsible for ensuring their use of the Service complies with applicable patient-privacy laws and payer requirements in their jurisdiction.
Incident response
We monitor our infrastructure for unauthorized access and will notify affected clinics in the event of a confirmed security incident.