Genos
Enterprise-Grade Security

Security built
from the ground up

Every layer of our architecture is designed to protect sensitive clinical data and meet the requirements of HIPAA-covered entities.

HIPAAAES-256 at RestTLS 1.3RLS IsolationBAA Available

Encryption

AES-256 + TLS 1.3
  • All data at rest is encrypted with AES-256 via our database provider's (Supabase) managed disk-level encryption, covering every byte stored including the 18 HIPAA identifiers.
  • All data in transit is protected by TLS 1.3 with forward secrecy, ensuring connections cannot be retroactively decrypted.
  • Database connections from our application servers to Supabase are mutually authenticated and TLS-encrypted end-to-end.
  • Backups and snapshots managed by our database provider inherit the same at-rest encryption and access controls.

Data Isolation

PostgreSQL RLS
  • Strict multi-tenant isolation is enforced at the database level through PostgreSQL Row-Level Security (RLS) policies on every PHI-bearing table.
  • Every database record is stamped with an organization identifier. RLS policies prevent any cross-tenant data access at the SQL layer regardless of application bugs.
  • Solo practitioners and organization members alike are scoped to their own data through the same RLS guarantees.
  • When a tenant is offboarded, all their rows are deleted and removed from backups in accordance with our data retention policy.

Access Control

RBAC
  • Role-based access control (RBAC) with five distinct roles: Owner, Admin, Supervisor, Therapist, and Viewer.
  • Permissions are enforced at both the API layer (server-side guards) and the UI layer (client-side gating).
  • Session management with configurable timeout, enforced at the organization level.
  • All authentication and authorization events are recorded in an immutable audit log.
  • Invitation-based onboarding with email domain restrictions to prevent unauthorized access.

Infrastructure

Secure
  • Hosted on Supabase with managed PostgreSQL and automatic backups.
  • Application deployed on Vercel with automatic TLS, DDoS protection, and edge caching.
  • All infrastructure runs with continuous monitoring and alerting.
  • Security headers enforced: HSTS, X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, and Referrer-Policy.

Compliance & Transparency

HIPAA
  • HIPAA technical safeguards implemented: access controls, audit controls, integrity controls, and transmission security.
  • All 18 HIPAA identifiers that constitute PHI are encrypted at rest and in transit.
  • Business Associate Agreement (BAA) available for covered entities and their business associates.
  • Comprehensive audit logging of all PHI access, including data reads, exports, and administrative actions.
  • Genos processes data server-side to power AI features (session analysis, transcription, case analysis). This means your data is decrypted in memory during processing. We do not store plaintext copies, and all processing is scoped to your tenant.
  • We apply strict internal access controls: production data access requires audit-logged authorization. No employee can silently access tenant data.

Have security questions?

Our team is here to help with compliance reviews, security assessments, and BAA agreements.