← Hippo

Security

Last updated: 2026-04-14

Hippo is early-stage. We are transparent about what controls are in place today and what is on the roadmap before institutional agreements are signed.

In place today

  • Encryption in transit: TLS 1.2+ for all traffic (Vercel + Supabase).
  • Encryption at rest: AES-256 on the Supabase-managed Postgres cluster and Storage, hosted in the Canada (Central) region.
  • Authentication: Supabase Auth with email/password + OAuth. Passwords are stored hashed (bcrypt) by Supabase; we never see them.
  • Authorization: every data-bearing API route calls requireAuth; row-level scoping by userId.
  • Audit log: append-only record of create/update/delete on cases and EPAs, including actor, IP, and user-agent. Visible to the user at Settings → Audit Log.
  • PHI minimization: Hippo does not ask for patient identifiers. Free-text fields are scrubbed for obvious PHI tokens before storage. Audit snapshots redact free-text to a character count.
  • Data portability: every user can download a complete JSON archive of their data on demand.
  • Account deletion: one-click, purged within 30 days.
  • Third-party dependencies: auto-scanned weekly via Dependabot; security advisories open PRs automatically.
  • Rate limiting: per-user sliding-window limits on AI, write, and auth endpoints to prevent abuse and credential stuffing.
  • AI vendor gate + server-side scrubbing: every prompt is regex-scrubbed on the server (catching health-card numbers, MRNs, phone numbers, dates of birth, postal codes, addresses, patient-name patterns) before being transmitted. Every AI vendor we use commits in their commercial terms that inputs are NOT used for model training. A code-level gate (AI_VENDOR_APPROVED) blocks all LLM calls unless a qualifying vendor is configured.
  • Row-level security baseline: RLS enabled on every table with a default-deny policy for Supabase's anon and authenticated roles. Even if our public key leaked, direct PostgREST access is blocked.
  • Click-wrap legal acceptance: every user must accept EULA, Terms, Privacy, PHIA, and Acceptable Use during onboarding. Every acceptance is recorded with the policy version, timestamp, IP, and user-agent in an append-only table.
  • Subprocessor notice: dismissible in-app banner gives users a minimum of 30 days' notice before any new third-party vendor begins processing their data.

On the roadmap (not yet in place)

  • SOC 2 Type I audit — scoping in progress.
  • Signed BAA with AI providers (Anthropic, OpenAI) — required before any AI feature is used with PHI. Until signed, do not enter PHI into AI-facing fields.
  • Penetration test by an external firm — planned prior to first institutional deployment.
  • Formal incident-response plan with 72-hour breach notification.

Responsible disclosure

If you believe you have found a security vulnerability, please email security@hippomedicine.com. We will acknowledge within 48 hours. Please do not publicly disclose until we have had a reasonable opportunity to fix.