Skip to main content

Security

Three laws, enforced by CI

Security in healthcare software isn't a checkbox — it's an architecture choice. Ours is enforced on every commit.

Law 1 — Isolation

Every client gets their own Cloudflare D1, R2, and KV namespace. No shared business database. A JWT signed by tenant A is cryptographically invalid against tenant B — there is no `tenant_id` claim, ever. CI enforces this via a cross-tenant-leak audit on every commit.

Law 2 — Zero hardcoded branding

No client name, color, logo, font, or copy lives in our source code. Every brand value is a config layer (L0 → L1 → L2 → L3). The same binary serves every client. CI enforces this via a brand-canary scan that fails the build on any hex literal or client name.

Law 3 — Offline-first counter

The desktop POS and the shared-app POS mode complete sales with the network unplugged. Sync is asynchronous and idempotent. A sync failure is a notification, never a blocker. CI enforces this via a Flutter integration test that runs the canonical sale with networking disabled.

Beyond the three laws

  • PBKDF2-SHA256 (100,000 iterations) password hashing — Web Crypto only
  • HS256 JWT signing — per-tenant secret, never shared
  • AES-GCM encryption for per-tenant payment provider credentials
  • RFC 6238 TOTP 2FA — mandatory for owner + admin roles
  • Rate limiting at the edge — login 10/IP/5min, API 600/min
  • R2 archive for audit log (90+ days), 6-year retention per NBR
  • Immutable audit log with per-row payload hash for tamper detection
  • Support impersonation requires tenant owner's explicit per-session approval