Security
Last updated April 19, 2026
Our approach
RxRouter is built on defense-in-depth principles with tenant isolation as a primary concern. This page summarizes the security controls we operate today; specifics are documented in our internal security program and are available to prospective tenants under NDA.
Encryption
- At rest: AES-256 encryption for database storage and backups.
- In transit: TLS 1.3 for all external connections with HSTS enforced on all hosts.
- Secrets: Application secrets and API keys are stored in Vercel Environment Variables and never committed to source control.
Access control
- Identity: Auth0 provides authentication for all user-facing surfaces with JWT-based session tokens.
- Authorization: Role-based access controls (platform_admin, tenant_admin, provider, patient) are enforced at the API layer with tenant-scoped row-level checks.
- Tenant API keys: Tenant-scoped keys protect B2B routes and are rotatable from the admin dashboard.
- MFA: Available for all user accounts; required for platform and tenant administrators.
Audit logging
Administrative actions including tenant creation, configuration changes, user management events, and API key operations are captured in an immutable audit log. Field-level change tracking is applied to PHI-adjacent mutations. Logs are retained for seven years in alignment with typical healthcare retention requirements.
Tenant isolation
Each tenant's data is logically separated with enforced row-level boundaries. API requests are authenticated and scoped to a single tenant context; cross-tenant access requires explicit platform-admin credentials and is audit-logged.
Infrastructure
- Hosted on Vercel for application surfaces with Neon Postgres as the primary data store.
- All infrastructure runs in U.S.-based regions.
- Automated daily database backups with point-in-time recovery within the retention window.
Compliance posture
- HIPAA: RxRouter operates as a Business Associate when processing PHI on behalf of covered-entity tenants. A signed Business Associate Agreement is required before production PHI is transmitted.
- SOC 2: Audit engagement in progress. Report will be shared with prospective tenants under NDA when complete.
- GDPR: Controls for data-subject rights requests, data export, and subprocessor transparency are implemented in the platform; a Data Processing Addendum is available on request.
Vulnerability disclosure
If you discover a vulnerability, please report it to security@rxrouter.ai. Include reproduction steps, impact, and any relevant artifacts. We'll acknowledge receipt within one business day.
Incident response
RxRouter maintains an incident-response program with defined severity tiers, on-call rotation, and notification timelines that meet or exceed HIPAA breach-notification requirements for BA'd tenants.
Data retention and deletion
Data retention is configured per tenant and aligned with the applicable BAA and state law. On tenant offboarding, we offer a data export followed by a documented deletion within 90 days.
More detail
For a security questionnaire, subprocessor list, penetration-test summary, or custom security review, email security@rxrouter.ai.