Security at Sensacare

Sensacare is built from the ground up to protect sensitive health information and ensure the highest levels of security, privacy, and compliance. While we are newly launched, we've prioritised security architecture from day one to support enterprise healthcare needs and regulatory requirements across Australia, the U.S., and beyond.

• Role-Based Access Control (RBAC): Super Admin, Admin, and Carer roles each have granular permissions for what they can view and edit.
• Session Management: All sessions are handled via Supabase Auth or our mock layer, with automatic session expiration to prevent data exposure.
• Login Enforcement: All secure routes require valid session tokens. Demo users are sandboxed and never touch production systems.
• Token-Based Authorisation: Real deployments use Supabase-issued JWT tokens to validate user identity and restrict access securely.

• Client Data Isolation: Each carer can only view data for patients they are directly assigned to.
• Protected Identifiers: Patient names, IDs, and birthdates are hidden or obfuscated in demo environments.
• Mock Data Mode: No real health or personal data is ever used during demos — all sessions are fake and isolated.
• Write Controls: Only authenticated users with appropriate roles can create or update clinical data such as thresholds or notes.

• End-to-End Encryption: All data is encrypted during transit (TLS 1.3) and at rest (AES-256).
• Encrypted Database (Supabase): Health records are stored in encrypted tables, with access tightly scoped via RLS (Row-Level Security).
• Environment-Specific Access: Production and mock modes are strictly separated via environment variable configuration.
• No PII in Demo Mode: Absolutely no personally identifiable information is stored or transmitted during demonstrations.

• Secure Hosting (Vercel + Supabase): Both platforms are HIPAA-aware and ISO/IEC 27001 compliant.
• Token Revocation: Middleware rejects expired or invalid session tokens automatically.
• Minimal Server Surface: No raw backend functions are exposed directly to the frontend — all calls are wrapped with validation logic.

Sensacare is architected for alignment with key data privacy and healthcare laws:

• Australian Privacy Principles (APPs): Compliant handling of personal health information.
• HIPAA (USA): Platform infrastructure supports HIPAA-eligible deployment.
• GDPR (EU): Includes support for data removal requests, audit logging, and opt-out functionality.
• TGA-Aligned Design: Engineered with audit logging and data segregation in mind for future certification pathways.

• Action Audit Trail: Will log actions like threshold updates, alert dismissals, and clinical notes.
• Role-Based Audit Logs: Planned tracking for high-privilege route access (e.g., admin-level views).
• EHR Export Logging: Future support for logging data exported to third-party health systems.

• Production Guardrails: System blocks mock data access in production (USE_MOCK_DATA=false).
• Middleware Enforcement: Secure routes are locked without valid sessions.
• Read-Only Demo Mode: Thresholds, alerts, and notes are simulated in mock mode — never stored or updated for real.

While Sensacare is newly launched, we are committed to earning your trust through transparency, accountability, and enterprise-grade protection. We welcome due diligence reviews and are happy to provide technical documentation upon request.

For security inquiries or to request additional technical documentation, please contact our team at support@optihealthgroup.com