Security & Compliance

Auth57 security & compliance —
no PHI accepted.

Auth57 is a rule-data platform, not a patient-data platform. No protected health information is ever accepted on any API surface. That constraint — plus a short list of industry-standard controls — is what you're buying when you subscribe.

No PHIUS-hostedTLS 1.2+AES-256 at restMFARLSSOC 2 Type 1 → Q2 2027

Posture at a glance

Eight things any vendor-risk team will ask, answered up front.

Data model
No PHI accepted
API inputs are state codes + program + drug/service enums. No names, DOBs, MRNs, or clinical notes.
Hosting
US-only
Vercel Edge Network (US regions) + Supabase Postgres (us-east-1). No data leaves the United States.
Transit
TLS 1.2+ everywhere
HTTPS-only on all endpoints. HSTS enforced. Strict-Transport-Security max-age 2 years.
At rest
AES-256 via Supabase
Postgres disk encryption managed by Supabase on AWS RDS. Backup snapshots encrypted.
Access
MFA + least privilege
All provider accounts (Vercel, Supabase, Stripe, GitHub) require MFA. Supabase RLS enforces row-level scope.
Secrets
90-day rotation
All infrastructure keys (Supabase, Vercel, Stripe, Resend, Anthropic) rotated quarterly. Rotation runbook + wizard script in repo.
Monitoring
Sentry + Vercel logs
Every API error streamed to Sentry with PII-scrubbed headers. Rate-limit + auth failures logged to api_calls.
Data lineage
Source URL on every row
Weekly cron audits all 10,402 source URLs. Broken citations get flagged and fixed within the business week.

Why “no PHI” matters

Most healthcare vendor-risk reviews start with one question: does this vendor touch PHI?For Auth57, the answer is structurally no — and that's not marketing copy, it's an architectural constraint.

The PA Lookup API accepts four parameters: state, program, and either drug or service. None identify a patient. The API returns PA rule data — verdict, source URL, next steps — against those categorical inputs, never against a specific person.

Because we don't accept PHI, the obvious consequences apply:

  • No HIPAA BAA required. HIPAA's Business Associate framework governs entities that create, receive, maintain, or transmit PHI on a covered entity's behalf. Auth57 does none of those things. Happy to sign a BAA as belt-and-suspenders if your procurement team requires it — email hello@auth57labs.com.
  • Incident severity is bounded. A worst-case breach of Auth57 exposes rule lookups and API-key metadata, not patient records. No HHS breach notification. No member-facing disclosure.
  • Vendor questionnaires shrink. Roughly 60% of typical VRM questions are PHI-scoped. Those questions are either N/A or answered by the architectural posture alone.

Controls in place today

Not a compliance-theater list — just what's actually configured in production.

Transport
All traffic TLS 1.2+ with modern cipher suites. Strict-Transport-Security with 2-year max-age. HTTP/2 on Vercel edge.
Authentication
x-api-key header with UUID v4 keys. Edge Config cache for sub-10ms key lookup. Keys bound to plan + subscribed states. Invalid key → 401.
Authorization
Supabase Row-Level Security (RLS) policies enforce state-scoped access at the database layer. Compare endpoint requires compare_addon. Admin plan bypasses rate limits.
Rate limiting
10,000 lookups/hour per API key on /v1/pa-lookup. 2,000 calls/hour on /v1/compare. Demo sessions capped at 10 lookups/24h. HTTP 429 with Retry-After on breach.
Secret management
No secrets in source. All provider keys in Vercel environment variables (encrypted at rest). 90-day rotation cadence. Automated rotation script.
Database
Supabase Postgres (AWS us-east-1). AES-256 disk encryption. Daily automated backups retained 7 days. RLS policies on every user-facing table.
Observability
Sentry error tracking with header/cookie/auth scrubbing before send. Vercel log retention. Every API call logged to api_calls with status + response time.
Data integrity
Weekly cron probes every source URL in the corpus. Broken citations flagged in link_audit_log and remediated within the business week.
Dependencies
Dependabot enabled on GitHub. Minimal surface: one API, few npm packages, no unmaintained transitive deps.
Incident response
Solo founder owns all pages. P0 acknowledgment target: 30 minutes business hours.

Compliance roadmap

Honest about what's live, what's next, and what's deferred. We don't pretend to have compliance we don't have.

Done
Architectural PHI exclusion. Day-one design constraint. Reviewed in every new API surface.
Done
Baseline controls. TLS, encryption at rest, MFA, RLS, Sentry, rate limiting, secret rotation — all live.
Q3 2026
Public status page + uptime SLA. status.auth57labs.com with 99.9% uptime commitment on API and Cafe.
Q4 2026
Vendor-risk-questionnaire pre-fill. Completed CAIQ / SIG-Lite responses published.
Q1 2027
SOC 2 Type 1 readiness. Controls defined and documented. Vanta or Drata automation in place.
Q2 2027
SOC 2 Type 1 report. Point-in-time attestation covering security + availability.
Q4 2027
SOC 2 Type 2 report. Six-month observation period concludes.
On demand
HIPAA BAA. Not technically required (no PHI) but we'll sign if your procurement requires it.
On demand
Penetration test. Third-party pen test scheduled when first enterprise deal commits.

Responsible disclosure

If you've found a vulnerability in any Auth57 product, please email security@auth57labs.com. Include steps to reproduce and, if possible, a suggested fix. We acknowledge within 24 hours business days and will credit researchers on this page (with permission) after the issue is resolved.

We don't currently run a paid bug bounty. We do write thank-you notes and make small charitable donations on behalf of researchers who help us ship safer software.

In scope: *.auth57.io · *.auth57labs.com · the REST API · the MCP server · the subscribe flows.

Out of scope: social engineering · DoS / volumetric testing · third-party subdomains (Calendly, jsdelivr, Supabase, Stripe) · issues in old browser versions.

Vendor-risk team?

If you're evaluating Auth57 for use inside your payer, consultancy, or health-tech org — I'm happy to complete your standard vendor questionnaire, answer security follow-ups, or hop on a 30-minute call with your InfoSec team. Solo founder, direct line, no “I'll have to check with our security team.”

Security contact

General inquiries: hello@auth57labs.com
Responsible disclosure: security@auth57labs.com
Book 30 min with the founder: auth57labs.com/book