Security & Compliance

Auth57 security & compliance —
no PHI accepted.

Auth57 is a rule-data platform, not a patient-data platform. No protected health information is ever accepted on any API surface. That constraint — plus a short list of industry-standard controls — is what you're buying when you subscribe.

No PHIUS-hostedTLS 1.2+AES-256 at restMFARLSSOC 2 Type 1 → Q2 2027

Posture at a glance

Eight things any vendor-risk team will ask, answered up front.

Data model
No PHI accepted
API inputs are state codes + program + drug/service enums. No names, DOBs, MRNs, or clinical notes.
Hosting
US-only
Vercel Edge Network (US regions) + Supabase Postgres (us-east-1). No data leaves the United States.
Transit
TLS 1.2+ everywhere
HTTPS-only on all endpoints. HSTS enforced. Strict-Transport-Security max-age 2 years.
At rest
AES-256 via Supabase
Postgres disk encryption managed by Supabase on AWS RDS. Backup snapshots encrypted.
Access
MFA + least privilege
All provider accounts (Vercel, Supabase, Stripe, GitHub) require MFA. Supabase RLS enforces row-level scope.
Secrets
90-day rotation
All infrastructure keys (Supabase, Vercel, Stripe, Resend, Anthropic) rotated quarterly. Rotation runbook + wizard script in repo.
Monitoring
Sentry + Vercel logs
Every API error streamed to Sentry with PII-scrubbed headers. Rate-limit + auth failures logged to api_calls.
Data lineage
Source URL on every row
Weekly cron audits all 41,000+ source URLs. Broken citations get flagged and fixed within the business week.

Why “no PHI” matters

Most healthcare vendor-risk reviews start with one question: does this vendor touch PHI?For Auth57, the answer is structurally no — and that's not marketing copy, it's an architectural constraint.

The PA Lookup API accepts four parameters: state, program, and either drug or service. None identify a patient. The API returns PA rule data — verdict, source URL, next steps — against those categorical inputs, never against a specific person.

Because we don't accept PHI, the obvious consequences apply:

  • No HIPAA BAA required. HIPAA's Business Associate framework governs entities that create, receive, maintain, or transmit PHI on a covered entity's behalf. Auth57 does none of those things. Happy to sign a BAA as belt-and-suspenders if your procurement team requires it — email hello@auth57labs.com.
  • Incident severity is bounded. A worst-case breach of Auth57 exposes rule lookups and API-key metadata, not patient records. No HHS breach notification. No member-facing disclosure.
  • Vendor questionnaires shrink. Roughly 60% of typical VRM questions are PHI-scoped. Those questions are either N/A or answered by the architectural posture alone.

Defense in depth: the API also rejects requests at the edge when query params or free-text fields match unambiguous PHI shapes — SSN, formatted phone, email, or MM/DD/YYYY dates. A misconfigured client gets a 400 with code: phi_rejected instead of silently logging PHI into our request logs.

Controls in place today

Not a compliance-theater list — just what's actually configured in production.

Transport
All traffic TLS 1.2+ with modern cipher suites. Strict-Transport-Security with 2-year max-age. HTTP/2 on Vercel edge.
Authentication
x-api-key header with UUID v4 keys. Edge Config cache for sub-10ms key lookup. Keys bound to plan + subscribed states. Invalid key → 401.
Authorization
Supabase Row-Level Security (RLS) policies enforce state-scoped access at the database layer. Compare endpoint requires compare_addon. Admin plan bypasses rate limits.
Rate limiting
10,000 lookups/hour per API key on /v1/pauth-lookup. 2,000 calls/hour on /v1/compare. Demo sessions capped at 10 lookups/24h. HTTP 429 with Retry-After on breach.
Secret management
No secrets in source. All provider keys in Vercel environment variables (encrypted at rest). 90-day rotation cadence. Automated rotation script.
Database
Supabase Postgres (AWS us-east-1). AES-256 disk encryption. Daily automated backups retained 7 days. RLS policies on every user-facing table.
Observability
Sentry error tracking with header/cookie/auth scrubbing before send. Vercel log retention. Every API call logged to api_calls with status + response time.
Data integrity
Weekly cron probes every source URL in the corpus. Broken citations flagged in link_audit_log and remediated within the business week.
Dependencies
Dependabot enabled on GitHub. Minimal surface: one API, few npm packages, no unmaintained transitive deps.
Incident response
Solo founder owns all pages. P0 acknowledgment target: 30 minutes business hours.

Compliance roadmap

Honest about what's live, what's next, and what's deferred. We don't pretend to have compliance we don't have.

Done
Architectural PHI exclusion. Day-one design constraint. Reviewed in every new API surface.
Done
Baseline controls. TLS, encryption at rest, MFA, RLS, Sentry, rate limiting, secret rotation — all live.
Q3 2026
Public status page + uptime SLA. status.auth57labs.com with 99.9% uptime commitment on API and Cafe.
Q4 2026
Vendor-risk-questionnaire pre-fill. Completed CAIQ / SIG-Lite responses published.
Q1 2027
SOC 2 Type 1 readiness. Controls defined and documented. Vanta or Drata automation in place.
Q2 2027
SOC 2 Type 1 report. Point-in-time attestation covering security + availability.
Q4 2027
SOC 2 Type 2 report. Six-month observation period concludes.
On demand
HIPAA BAA. Not technically required (no PHI) but we'll sign if your procurement requires it.
On demand
Penetration test. Third-party pen test scheduled when first enterprise deal commits.

Responsible disclosure

If you've found a vulnerability in any Auth57 product, please email security@auth57labs.com. Include steps to reproduce and, if possible, a suggested fix. We acknowledge within 24 hours business days and will credit researchers on this page (with permission) after the issue is resolved.

We don't currently run a paid bug bounty. We do write thank-you notes and make small charitable donations on behalf of researchers who help us ship safer software.

In scope: *.auth57.io · *.auth57labs.com · the REST API · the MCP server · the subscribe flows.

Out of scope: social engineering · DoS / volumetric testing · third-party subdomains (Calendly, jsdelivr, Supabase, Stripe) · issues in old browser versions.

Vendor-risk team?

If you're evaluating Auth57 for use inside your payer, consultancy, or health-tech org — I'm happy to complete your standard vendor questionnaire, answer security follow-ups, or hop on a 30-minute call with your InfoSec team. Solo founder, direct line, no “I'll have to check with our security team.”

Security contact

General inquiries: hello@auth57labs.com
Responsible disclosure: security@auth57labs.com
Book 30 min with the founder: auth57labs.com/book