​

Security Overview

​

Data

• Encryption in Transit: All network traffic is encrypted via TLS 1.2+ with strong cipher suites.
• Encryption at Rest: All persistent data is encrypted with AES-256. Databases and snapshots are encrypted at rest. Object storage uses server-side encryption (SSE-S3, AES-256) by default.
• Auditing: All access to any customer, inventory, or protected health information (PHI) via API or dashboard is logged. All attempted, failed, and successful logins, as well as data edits or modifications, are recorded and auditable, and regularly audited.

​

Infrastructure

• Private Networking: Services communicate over an internal private network using secure internal DNS.
• System Monitoring: Continuous collection of logs and performance metrics (CPU, memory) with alerting for anomalous behavior.
• Observability Dashboards: Custom dashboards provide real-time visibility into system health, performance, and deployment activity.
• Backups: Automated backups with tested restoration procedures are performed daily, weekly, and monthly.
• Patch Management: Operating systems and dependencies are regularly updated to remediate vulnerabilities.

​

Application & Operational

• Secure Development Practices: Code reviews, dependency vulnerability scanning, and secrets management.
• Identity Verification: Positive ID procedures are required and enforced for all in-pharmacy operations for prescription review or medication dispensation.
• Audit Trails: Comprehensive audit trails for all system access, data changes, and pharmacy operations.

​

Network Controls

• Encrypted Transport: All external connections are served over HTTPS with modern TLS protocols (1.2+). Certificates are automatically issued and renewed.
• Connection Limits & Rate Controls: Baseline rate limiting and connection caps are enforced at the network edge to prevent abuse and ensure service stability.
• Resilience Against Attacks: Network layer is protected against denial-of-service attempts, with safeguards in place to maintain availability.

​

Compliance & Certifications

• EPCS / DEA 21 CFR Part 1311: Certified and audited (every two years) for Electronic Prescriptions for Controlled Substances (EPCS) under DEA 1311 standards. Most recent audit September 2025.
• Surescripts Certification: Certified for interoperability with the Surescripts network, which enforces mutual TLS (mTLS) and strict identity controls for all electronic prescription interchange.
• HIPAA Alignment: We implement HIPAA-aligned controls for auditing, access restrictions, and confidentiality.
• SOC 2 Alignment: We follow SOC 2 security principles, including:
  • Access controls (least privilege, audit logs).
  • Encryption in transit and at rest.
  • Change management and code review. All changes pass through version control, automated test suites, and a staging environment before production deployment.
  • Incident response procedures. We continuously and automatically monitor systems and have escalation processes in place to respond rapidly to anomalies or security events. Any incidents are documented, reviewed, and addressed as part of a structured post-incident review process.
  • Vendor Risk & Redundancy. Critical vendors are evaluated for compliance with recognized security and industry standards. Vendor dependencies are periodically reviewed. Key infrastructure is deliberately provisioned across multiple vendors to improve resilience and reduce the risk of single points of failure.