Security & compliance
Security at auro isn't a layer on top of the app — it's the architecture. Below is a plain-language overview of how PHI moves, where it lives, and who can touch it. For the full security package (policies, BAA templates, risk analysis, breach response plan), email security@theaurohealth.com.
Postgres RLS policies enforce every read and write. A bug in the Mac or iPhone app cannot accidentally return another practice's records — the database refuses the query. Helpers like get_my_org_id(), get_my_role(), and am_i_lead_rd_in_org() are SECURITY DEFINER with zero cross-table subqueries — no recursion, no leaks.
Names, DOBs, phone numbers, emails, addresses, and patient identifiers are stripped before any prompt leaves your device. Claude sees clinical signal — macros, biomarkers, symptom logs — never identity. Anthropic-side: we require zero-retention processing and a signed BAA before any production PHI is involved.
Every connection between the Mac, the iPhone, and Supabase uses TLS 1.3. Data at rest in Postgres and object storage uses AES-256 envelope encryption. Cloudflare R2 holds DMG releases — no PHI.
Every PHI access — by a provider, the patient, or auro itself — writes an activity_events row that cannot be modified or deleted. Pull a full access report for any patient on demand.
Magic-link email authentication for providers and patients. MFA required for all admin and Lead RD accounts. Idle session timeout 30 minutes; absolute session lifetime 12 hours. Device binding for provider sessions.
Supabase (database + auth + storage), Anthropic (Claude), LiveKit (video), and any future subprocessor — each is required to sign a BAA before production PHI flows through it. We're executing these now; current status: on request.
HIPAA control matrix
| Safeguard | Control |
|---|---|
| Access control (§164.312(a)) | Postgres RLS, magic-link auth, MFA for admins, role-based permissions (patient · provider · lead RD · admin) |
| Audit controls (§164.312(b)) | Immutable activity_events log on every PHI read and AI invocation |
| Integrity (§164.312(c)) | Database constraints + RLS + EdDSA-signed app updates (Sparkle) |
| Authentication (§164.312(d)) | Magic-link + MFA, session token rotation, device binding |
| Transmission security (§164.312(e)) | TLS 1.3 between every client and Supabase / Claude / LiveKit |
| Encryption (Addressable) | AES-256 at rest in Postgres and object storage; per-tenant keys on roadmap |
| BAAs (§164.308(b)) | BAA required of every subprocessor that handles PHI (Supabase, Anthropic, LiveKit) and of each practice — executed before production PHI; subprocessor BAAs in progress |
| Breach notification (§164.400) | Written response plan; 60-day notification SLA to affected practices |
| Workforce training (§164.308(a)(5)) | CITI HIPAA awareness — every employee, annually |
| Risk analysis (§164.308(a)(1)) | Annual SRA; quarterly internal review; pen test prior to GA |
Responsible disclosure
If you believe you've discovered a security vulnerability in auro Provider, auro Wellness, or this site, email security@theaurohealth.com. PGP key on request.
We commit to acknowledging valid reports within 48 hours, providing a status update within 7 days, and recognizing the reporter publicly (with permission) once the issue is resolved. We do not pursue legal action against good-faith security researchers.