Security & HIPAA Compliance

SANNEXUS processes physician professional credentials — not patient health information (PHI). The platform does not store, transmit, or process patient records. Physician credentials (licenses, certifications, malpractice insurance) are professional data, not PHI as defined under 45 CFR §160.103.

For covered entities that engage SANNEXUS in contexts that may involve PHI (e.g., specific credentialing or privileging workflows), SANNEXUS will execute a Business Associate Agreement (BAA) as required under HIPAA.

To request a BAA, contact hipaa@sannexus.com.

• ✓Encryption at rest:All database data encrypted using AES-256 via Supabase's managed PostgreSQL with encryption-at-rest enabled by default.
• ✓Encryption in transit: All connections to the Platform are encrypted via TLS 1.2 or higher. HTTP requests are redirected to HTTPS.
• ✓Role-based access control (RBAC): Three distinct roles — physician, hospital_admin, sannexus_admin — with strict permission boundaries enforced at the database level via row-level security (RLS) policies.
• ✓Row-level security: PostgreSQL RLS policies on every table ensure physicians can only access their own records, hospital admins are scoped to their facility, and no cross-tenant data leakage is possible.
• ✓Audit logging: All credential access events (read, write, status change) are logged with actor ID, role, timestamp, IP address, and resource identifier. Logs are immutable and retained for 6 years.
• ✓No PHI in logs: Application logs are scrubbed of personally identifiable health information. Only non-sensitive metadata is logged at the application layer.
• ✓Supabase Auth: Authentication tokens are managed via Supabase Auth with secure, HttpOnly session cookies. Passwords are never stored in plaintext.
• ✓Service role key isolation: The Supabase service role key is used only in server-side API routes. It is never exposed to browser clients.

• ✓Credential data is accessible only to verified SANNEXUS platform administrators with documented need-to-know.
• ✓Physician credential documents are stored in access-controlled cloud storage. Document URLs are signed and time-limited; they cannot be enumerated.
• ✓All production deployments go through a security review checklist before release (no hardcoded secrets, RLS verified, auth confirmed on every new route).
• ✓Third-party vendors (Supabase, Stripe, Vercel) are selected based on their own SOC 2 / compliance posture. Each is bound by data processing agreements.

In the event of a security incident or data breach:

• Affected users will be notified within 72 hours of breach discovery, as required by applicable law
• Incident details will be documented and root cause analysis published to affected parties
• Breach notifications to relevant authorities (HHS Office for Civil Rights, if applicable) will be completed per HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)

To report a security vulnerability, contact security@sannexus.com. We commit to acknowledging reports within 48 hours and resolving critical vulnerabilities within 7 days.

SANNEXUS is actively building toward the following compliance milestones: