Security

1. Infrastructure Security

Hosting

MediChat is hosted on Vercel, a globally distributed cloud platform leveraging secure, hardened infrastructure. Our database is hosted on Supabase, which operates on AWS infrastructure with SOC 2 Type II certification.

Network Security

• All data in transit is encrypted using TLS 1.2 or 1.3
• HTTP Strict Transport Security (HSTS) is enforced across all endpoints
• Cloudflare is used for DDoS protection, web application firewall (WAF), and DNS security
• API endpoints are protected against common attack vectors including OWASP Top 10

2. Data Encryption

3. Authentication and Access Control

• Multi-factor authentication (MFA) available and recommended for all accounts
• Secure session management with automatic timeout after inactivity
• Row-level security (RLS) enforced at the database layer — each user can only access their own data
• Role-based access controls (RBAC) for platform administration
• All internal administrative access is logged and audited

4. Application Security

• Input validation and sanitization on all API endpoints
• Protection against SQL injection, XSS, CSRF, and injection attacks
• Dependency vulnerability scanning as part of the CI/CD pipeline
• Content Security Policy (CSP) headers enforced
• API rate limiting to prevent abuse and brute-force attacks
• Secrets management via environment variables — no secrets committed to source code repositories

5. Third-Party Access Token Security

WhatsApp Business API access tokens obtained through the Embedded Signup flow are:

• Encrypted at the application layer before being written to the database
• Never logged or exposed in error messages or server logs
• Never transmitted to the client after initial storage
• Subject to the same access controls as all other sensitive data

6. Organizational Security

• Access to production systems is limited to authorized personnel on a need-to-know basis
• All team members with data access are subject to confidentiality obligations
• Security awareness is incorporated into onboarding and ongoing operations
• We maintain an incident response plan with defined escalation procedures

7. Sub-Processor Security Standards

We require all sub-processors handling sensitive data to maintain encryption at rest and in transit, access controls and audit logging, incident response capabilities, and compliance with applicable data protection regulations.

8. Vulnerability Disclosure

If you discover a security vulnerability in MediChat, please report it responsibly:

9. Security Incident Response

In the event of a confirmed security incident:

1. We will contain the incident and assess its scope immediately
2. We will notify affected users within 72 hours of discovery where required by law
3. We will provide regular updates throughout the investigation
4. We will implement remediation measures and conduct a post-incident review

10. Limitations

No security system is impenetrable. While we implement industry-standard measures, we cannot guarantee absolute security. Users are responsible for maintaining strong, unique passwords, enabling MFA, and protecting their own devices and credentials. MediChat is not liable for security incidents attributable to user negligence or third-party provider failures beyond our control.

11. Contact