Security
Last updated: 2026-04-14
Hippo is early-stage. We are transparent about what controls are in place today and what is on the roadmap before institutional agreements are signed.
In place today
- Encryption in transit: TLS 1.2+ for all traffic (Vercel + Supabase).
- Encryption at rest: AES-256 on the Supabase-managed Postgres cluster and Storage, hosted in the Canada (Central) region.
- Authentication: Supabase Auth with email/password + OAuth. Passwords are stored hashed (bcrypt) by Supabase; we never see them.
- Authorization: every data-bearing API route calls
requireAuth; row-level scoping byuserId. - Audit log: append-only record of create/update/delete on cases and EPAs, including actor, IP, and user-agent. Visible to the user at Settings → Audit Log.
- PHI minimization: Hippo does not ask for patient identifiers. Free-text fields are scrubbed for obvious PHI tokens before storage. Audit snapshots redact free-text to a character count.
- Data portability: every user can download a complete JSON archive of their data on demand.
- Account deletion: one-click, purged within 30 days.
- Third-party dependencies: auto-scanned weekly via Dependabot; security advisories open PRs automatically.
- Rate limiting: per-user sliding-window limits on AI, write, and auth endpoints to prevent abuse and credential stuffing.
- AI vendor gate + server-side scrubbing: every prompt is regex-scrubbed on the server (catching health-card numbers, MRNs, phone numbers, dates of birth, postal codes, addresses, patient-name patterns) before being transmitted. Every AI vendor we use commits in their commercial terms that inputs are NOT used for model training. A code-level gate (
AI_VENDOR_APPROVED) blocks all LLM calls unless a qualifying vendor is configured. - Row-level security baseline: RLS enabled on every table with a default-deny policy for Supabase's anon and authenticated roles. Even if our public key leaked, direct PostgREST access is blocked.
- Click-wrap legal acceptance: every user must accept EULA, Terms, Privacy, PHIA, and Acceptable Use during onboarding. Every acceptance is recorded with the policy version, timestamp, IP, and user-agent in an append-only table.
- Subprocessor notice: dismissible in-app banner gives users a minimum of 30 days' notice before any new third-party vendor begins processing their data.
On the roadmap (not yet in place)
- SOC 2 Type I audit — scoping in progress.
- Signed BAA with AI providers (Anthropic, OpenAI) — required before any AI feature is used with PHI. Until signed, do not enter PHI into AI-facing fields.
- Penetration test by an external firm — planned prior to first institutional deployment.
- Formal incident-response plan with 72-hour breach notification.
Responsible disclosure
If you believe you have found a security vulnerability, please email security@hippomedicine.com. We will acknowledge within 48 hours. Please do not publicly disclose until we have had a reasonable opportunity to fix.