Compliance Frameworks
We design, build, and operate Tesa Cloud to meet the highest healthcare industry standards.
| Framework | Scope | Status |
|---|---|---|
| HIPAA Security Rule | All administrative, physical, and technical safeguards for electronic Protected Health Information (ePHI) | Compliant |
| ISO/IEC 27001:2022 | Information Security Management System — 93 Annex A controls across organisational, people, physical, and technological themes | Aligned |
| WCAG 2.1 Level AA | Web Content Accessibility Guidelines for all public-facing pages | Achieved |
| OWASP Top 10 | Automated and manual security testing against common web application vulnerabilities | Tested |
Data Protection
Patient data is protected at every layer — from the browser to the database.
Encryption Everywhere
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. HSTS with preload is enforced across all domains.
Row-Level Security
Every database table enforces row-level security policies. Users can only access data belonging to their organisation — enforced at the database engine level, not application code.
Environment Isolation
Development, staging, and production environments are fully isolated in separate cloud projects with distinct credentials. No production data is ever used in non-production environments.
Access Controls
Role-based permissions with granular controls for each team member. Primary users manage access for their organisation; changes take effect immediately.
Patient Consent
Patient email addresses are verified via secure, single-use tokens before any clinical information is sent. Patients explicitly opt in to communications, with a full audit trail.
Audit Logging
All access and changes to patient data are logged with seven-year retention. Audit trails capture who accessed what, when, and from where.
Authentication & Identity
Multiple layers of identity verification protect every account.
Passkeys & Biometrics
Phishing-resistant passwordless login via WebAuthn/FIDO2. Supports Face ID, Touch ID, Windows Hello, and hardware security keys.
Multi-Factor Authentication
TOTP-based MFA with any standard authenticator app. Includes recovery codes for account access if a device is lost.
OAuth 2.0 & OIDC
Standards-based authorization with PKCE, JWT tokens, and OpenID Connect. Enables secure third-party integrations without sharing credentials.
Infrastructure & Operations
Enterprise-grade cloud infrastructure with security built in from the ground up.
Cloud-Native Architecture
Hosted on Google Cloud Platform with auto-scaling serverless functions, managed databases, and globally distributed content delivery via Cloudflare.
Web Application Firewall
Cloudflare WAF with managed OWASP rulesets provides DDoS protection, bot mitigation, and rate limiting across all endpoints.
Infrastructure as Code
All cloud resources are managed through version-controlled Terraform configurations, ensuring reproducible, auditable infrastructure changes with no manual modifications.
Security Headers
All pages are served with strict Content Security Policy, HSTS with preload, X-Frame-Options, and Subresource Integrity on external resources.
Governance & Policies
Comprehensive information security policies underpin our technical controls.
- Information Security Policy
- Secure Development Lifecycle Policy
- Patch Management Policy
- Incident Management Policy
- Incident Response Plan
- Business Continuity Management Policy
- Disaster Recovery Policy
- Privacy Policy
Vendor & Supplier Security
We partner with industry-leading cloud providers who meet the highest security standards.
Google Cloud Platform
SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, HIPAA BAA executed. Hosts all serverless functions, storage, and container workloads.
Supabase
SOC 2 Type II certified. Manages authentication, PostgreSQL database with row-level security, and real-time subscriptions.
Cloudflare
SOC 2 Type II, ISO 27001, PCI DSS Level 1. Provides DNS, TLS termination, CDN, WAF, and DDoS protection for all domains.
Our Security Principles
The values that guide every decision we make about your data.
Security by Default
Every feature is designed with security controls from day one — not added as an afterthought.
Least Privilege
Every user, service, and system component has only the minimum access needed to perform its function.
Continuous Monitoring
Automated vulnerability scanning, uptime monitoring, and audit logging keep our systems healthy around the clock.
Transparency
We maintain clear documentation, publish our privacy policy, and provide data access and deletion rights to all users.