Tenant isolation
Tenant-scoped data access is designed to run through database-level row-level security with the current clinic set inside the transaction.
Cross-tenant patient access is covered by integration and browser-level e2e tests.
Sensitive data
Sensitive patient fields are encrypted or tokenised for the workflows that require lookup, upload, or offline handling.
Public pages, billing rows, usage rows, logs, and metrics must not include patient PII.
Production readiness
Security headers, backup metadata, restore drills, migration risk checks, secret scanning, and incident workflows are surfaced in the readiness audit.
External claims remain blocked until deployment, vendor access, live smoke credentials, and signoff checks have been verified.
Status note
This overview is not an external certification, penetration test report, or compliance attestation.