Tesa Cloud

Trust & Security

Tesa Cloud is built for healthcare. Every layer of our platform is designed to protect patient data, meet regulatory requirements, and give clinicians confidence in the tools they rely on.

Compliance Frameworks

We design, build, and operate Tesa Cloud to meet the highest healthcare industry standards.

FrameworkScopeStatus
HIPAA Security Rule All administrative, physical, and technical safeguards for electronic Protected Health Information (ePHI) Compliant
ISO/IEC 27001:2022 Information Security Management System — 93 Annex A controls across organisational, people, physical, and technological themes Aligned
WCAG 2.1 Level AA Web Content Accessibility Guidelines for all public-facing pages Achieved
OWASP Top 10 Automated and manual security testing against common web application vulnerabilities Tested

Data Protection

Patient data is protected at every layer — from the browser to the database.

Encryption Everywhere

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. HSTS with preload is enforced across all domains.

Row-Level Security

Every database table enforces row-level security policies. Users can only access data belonging to their organisation — enforced at the database engine level, not application code.

Environment Isolation

Development, staging, and production environments are fully isolated in separate cloud projects with distinct credentials. No production data is ever used in non-production environments.

Access Controls

Role-based permissions with granular controls for each team member. Primary users manage access for their organisation; changes take effect immediately.

Patient Consent

Patient email addresses are verified via secure, single-use tokens before any clinical information is sent. Patients explicitly opt in to communications, with a full audit trail.

Audit Logging

All access and changes to patient data are logged with seven-year retention. Audit trails capture who accessed what, when, and from where.

Authentication & Identity

Multiple layers of identity verification protect every account.

Passkeys & Biometrics

Phishing-resistant passwordless login via WebAuthn/FIDO2. Supports Face ID, Touch ID, Windows Hello, and hardware security keys.

Multi-Factor Authentication

TOTP-based MFA with any standard authenticator app. Includes recovery codes for account access if a device is lost.

OAuth 2.0 & OIDC

Standards-based authorization with PKCE, JWT tokens, and OpenID Connect. Enables secure third-party integrations without sharing credentials.

Infrastructure & Operations

Enterprise-grade cloud infrastructure with security built in from the ground up.

Cloud-Native Architecture

Hosted on Google Cloud Platform with auto-scaling serverless functions, managed databases, and globally distributed content delivery via Cloudflare.

Web Application Firewall

Cloudflare WAF with managed OWASP rulesets provides DDoS protection, bot mitigation, and rate limiting across all endpoints.

Infrastructure as Code

All cloud resources are managed through version-controlled Terraform configurations, ensuring reproducible, auditable infrastructure changes with no manual modifications.

Security Headers

All pages are served with strict Content Security Policy, HSTS with preload, X-Frame-Options, and Subresource Integrity on external resources.

Governance & Policies

Comprehensive information security policies underpin our technical controls.

Vendor & Supplier Security

We partner with industry-leading cloud providers who meet the highest security standards.

Google Cloud Platform

SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, HIPAA BAA executed. Hosts all serverless functions, storage, and container workloads.

Supabase

SOC 2 Type II certified. Manages authentication, PostgreSQL database with row-level security, and real-time subscriptions.

Cloudflare

SOC 2 Type II, ISO 27001, PCI DSS Level 1. Provides DNS, TLS termination, CDN, WAF, and DDoS protection for all domains.

Our Security Principles

The values that guide every decision we make about your data.

Security by Default

Every feature is designed with security controls from day one — not added as an afterthought.

Least Privilege

Every user, service, and system component has only the minimum access needed to perform its function.

Continuous Monitoring

Automated vulnerability scanning, uptime monitoring, and audit logging keep our systems healthy around the clock.

Transparency

We maintain clear documentation, publish our privacy policy, and provide data access and deletion rights to all users.

Have questions about our security practices?

We are happy to discuss our security posture, compliance documentation, or data protection measures.

Contact Our Security Team