Security & compliance

A short summary of how ELH Health handles customer and member data. We share extended materials (DPA, architecture diagram, SBOM) under a mutual NDA on request.

Data classification

Class	Examples	Storage
PHI	Health profile, biometrics, meals	Encrypted at rest, RLS-locked, audit-chained reads
PII	Name, email, employee ID	Encrypted at rest, RLS-locked
Operational	IPs, user agents	Hashed before storage; raw IP never persisted

Authentication

• SSO: SAML 2.0 (Okta, Azure AD, OneLogin, Google Workspace) and OIDC.
• Password (when SSO not enforced): PBKDF2-SHA256, 200,000 iterations (OWASP 2024 minimum).
• Sessions: 32-byte URL-safe tokens, SHA-256 hashed in DB, 30-day TTL.
• Brute-force protection: per-IP, per-org rate limiting on login.

Authorization

• App-layer scoping: every query is filtered by org_id (and site_id where relevant).
• Row-level security: every PHI table has RLS policies that key off the request's org_id, user_id, and role GUCs. Defense-in-depth — even a missing WHERE clause is caught.
• Least privilege: trainers see only their roster; site admins only their site; org admins only their org.

Audit chain

Every read of member PHI inserts a row into audit_log with a SHA-256 digest of the previous row + the current canonical event. Tampering with any historic row breaks verification at that point. Logs are retained for 7 years (HIPAA) and exportable on request.

Network

• TLS 1.2+ everywhere; HSTS preload
• Strict CSP; frame-ancestors 'none'
• Per-tenant subdomain isolation (cookies scoped to tenant subdomain)

Subprocessors

The complete sub-processor list — provider names, purpose, region, and BAA coverage — is shared with every customer under the Data Processing Addendum (DPA) at contract signing. Customers are notified 30 days before any new sub-processor is added.

Reporting

Quarterly security reviews are included in every Enterprise contract. We will (a) walk through the audit chain for your tenant, (b) review access patterns and flag anomalies, (c) hand you a written summary for your security committee.

Vulnerability reports

Coordinated disclosure to security@elhhealth.app. We respond within one business day and credit reporters in our public security log.