HIPAA posture

Designed for HIPAA-conscious operations.

Rosiflow ships the technical safeguards the HIPAA Security Rule expects — tenant isolation, role-based access, append-only audit, secure portal links, PHI-conscious notifications. HIPAA coverage is a joint posture between Rosiflow and the covered-entity clinic; this page sets out how the responsibility divides.

Read security overview Contact compliance team

Responsibility split

Who owns what — Rosiflow, the clinic, the infrastructure vendors.

HIPAA coverage is a joint posture. The grid below names what's built into Rosiflow, what the clinic owns operationally, and what infrastructure vendors provide.

Responsibility split · HIPAA-conscious posture

Conservative

Area

Rosiflow

Clinic

Infra vendor

Tenant isolation (RLS)

built-in

—

Audit log + retention

built-in

policy review

—

BAA signed

joint

—

Workforce HIPAA training

—

owned

—

Encryption at rest + transit

configured

—

AES-256 · TLS 1.2+

Breach-notification contact

intake

owned

—

PHI-conscious notifications

built-in

—

Pen-test report

planned

—

What Rosiflow is designed to support

Built-in by default — no operator action required.

Tenant isolation at the database

Supabase row-level security on every tenant table. A user in Clinic A cannot read, write, or count rows in Clinic B's data through any public surface.

Role-based access (6 roles)

Owner / admin / provider / nurse / intake-staff / front-desk. Enforced at the database via `has_org_role` security-definer helpers, not just in UI.

Append-only audit log

Every state-changing server fn writes a row with actor + entity + timestamp. There is no delete UI, no scheduled expiry, no admin bypass.

Encryption in transit + at rest

TLS 1.2+ on every external surface. Supabase storage at rest is AES-256. The service-role key is server-only and never reaches the browser bundle.

PHI-conscious notification design

Email envelopes carry portal links, never identifiers. Patient names + diagnoses live behind authenticated sessions.

Read-only support impersonation

Rosiflow staff can investigate issues but cannot mutate clinic data. Each session has a 30-minute hard TTL + owner notification + audit row.

Brand-only AI labels

Customer UI only ever shows 'Rosiflow AI'. Upstream model names never appear in rendered HTML.

Hashed portal tokens

Patient portal links carry a token whose SHA-256 hash is stored — the raw token never enters the database after generation.

Operator-side configuration

What needs to be set before any clinic uploads live PHI.

Signed BAA

Joint document between Rosiflow legal and the clinic's compliance officer. Reviewed under NDA before contract signing.

Clinic data-handling policy

The clinic's own internal policy must permit SaaS PHI storage. We help review; we don't author this for you.

Breach-notification contact

The clinic identifies a primary contact authorized to receive a security incident notification on its behalf.

Optional MFA-required mode

`SUPERADMIN_REQUIRE_MFA=true` checks the Supabase JWT for AAL2 assurance on every superadmin operation. Recommended before granting Rosiflow support access.

Optional IP allowlist

`SUPERADMIN_ALLOWED_IPS` restricts the platform-admin surface to your support team's egress IPs. Unparseable entries fail closed — typos lock out, not let in.

Demo seed off

`VITE_ALLOW_DEMO_SEED=false` in production. Sandbox seed buttons are off by default in the deployment we ship.

Customer responsibilities

What stays on your side.

Workforce HIPAA training

Your covered-entity policies for staff onboarding, recurring training, and access termination are unchanged — Rosiflow is one of multiple systems they use.

Patient consent + ROI

Authorizations for treatment, payment, and operations remain the clinic's responsibility. Rosiflow stores the document; you collect the signature.

Off-platform comms

Email + phone interactions outside Rosiflow keep their existing safeguards. We don't replace your encrypted-mail or telehealth tool.

EHR / EMR system of record

Rosiflow runs the operational layer between booking and visit. Your EHR remains the clinical system of record.

Enterprise readiness roadmap

Where Rosiflow's compliance posture is heading.

Business Associate Agreement

Rosiflow signs a BAA with each clinic when the operational and legal items above are completed jointly. Compliance teams receive the standard BAA + security questionnaire responses within one business day.

Independent SOC 2 attestation

Infrastructure providers underpinning Rosiflow maintain SOC 2 Type II. Rosiflow's own Type II is part of the enterprise readiness roadmap and is shared with prospects under NDA once available.

HITRUST

HITRUST is evaluated on a per-engagement basis. If your procurement requires HITRUST today, the enterprise team can scope the right path for your timeline.

Penetration testing

Third-party penetration tests are scheduled in line with the SOC 2 program. Executive summaries and remediation evidence are shared under NDA with procurement.

The full security review — impersonation matrix, AI safety invariants, hardening checklist — is available to compliance teams under NDA before contract.

Send the BAA to your compliance team.

We send the standard BAA, the conservative security questionnaire responses, and the gating checklist. Same business day. No marketing hand-waving.

Start pilot setup View pricing