SECURITY · PRIVACY · COMPLIANCE
We complementyour GPO contracts. We don't replace them — we help you use them better.
No patient data ingested, stored, or processed. Ever.
All data encrypted in transit (TLS 1.3) and at rest.
Row-level security ensures complete data separation between hospitals.
Version 2.0.0 · Effective April 13, 2026
Version 2.0.0 · Effective April 13, 2026
Version 2.0.0 · Effective April 13, 2026
Version 2.0.0 · Effective April 13, 2026
All documents are accepted digitally during onboarding with SHA-256 cryptographic verification (D-027).
Zero-PHI Data Protection Addendum
Replaces traditional BAA. Hospital Focus CK never acts as a Business Associate because we never access PHI.
Passwordless Authentication
Email-based magic links via Supabase Auth. No passwords stored. No SSO integration required.
Client-Side Document Generation
All PDFs generated in the browser via jsPDF. No document data touches our servers.
Privacy-First Analytics
PostHog with full text/attribute masking. CPRA non-cross-context designation. No PHI in telemetry.
| Provider | Purpose | Data |
|---|---|---|
| Supabase (AWS) | Database & Auth | Email, hospital profile, supply chain metrics (no PHI) |
| Vercel | Hosting & CDN | Static assets, server functions |
| PostHog | Product Analytics | Masked usage events only |
| Resend | Transactional Email | Recipient email, alert content |
Questions about our security posture?
security@hospitalfocus.net