Security Practices
Security is foundational to InterpretReflect. We implement industry-leading practices to protect your data and maintain your trust.
Last updated: January 11, 2026
Security at a Glance
AES-256 Encryption
Data encrypted at rest and in transit
SOC 2 Infrastructure
Hosted on certified platforms
HIPAA-Aligned
Healthcare-grade data handling
Infrastructure Security
Our infrastructure is built on enterprise-grade, certified platforms.
Supabase (Database & Auth)
- • SOC 2 Type II certified
- • HIPAA-eligible configuration
- • Hosted on AWS with multi-AZ redundancy
- • Daily automated backups
- • Point-in-time recovery
Vercel (Application Hosting)
- • SOC 2 Type II certified
- • Global edge network
- • DDoS protection built-in
- • Automatic HTTPS/TLS
- • Zero-trust architecture
Data Encryption
Encryption at Rest
- • AES-256 encryption for all stored data
- • Encrypted database backups
- • Encrypted file storage (documents, certificates)
- • Hardware Security Modules (HSM) for key management
Encryption in Transit
- • TLS 1.3 for all connections
- • HTTPS enforced across all endpoints
- • Certificate transparency monitoring
- • HSTS (HTTP Strict Transport Security) enabled
Access Controls
Authentication
- • Secure password hashing (bcrypt)
- • Multi-factor authentication (MFA) support
- • OAuth 2.0 / OIDC for third-party auth
- • Session timeout controls
- • Brute-force protection
Authorization
- • Row-Level Security (RLS) on all database tables
- • Role-based access control (RBAC)
- • Principle of least privilege
- • Separate user, admin, and service role permissions
Application Security
Secure Development
- • OWASP Top 10 vulnerability prevention
- • Input validation and sanitization
- • SQL injection protection (parameterized queries)
- • XSS protection (Content Security Policy)
- • CSRF token protection
Dependency Security
- • Automated dependency vulnerability scanning
- • Regular security updates
- • Software composition analysis
- • Lock file integrity verification
Monitoring & Incident Response
Continuous Monitoring
- • 24/7 infrastructure monitoring
- • Real-time alerting for anomalies
- • Security event logging and retention
- • Automated threat detection
Incident Response
- • Documented incident response procedures
- • Defined escalation paths
- • Customer notification within 72 hours of confirmed breach
- • Post-incident review and remediation
Compliance & Certifications
SOC 2 Certified Infrastructure
Our application is hosted on SOC 2 Type II certified platforms (Supabase for database/auth, Vercel for hosting), ensuring enterprise-grade security controls.
HIPAA-Aligned
We implement HIPAA-aligned practices for data handling. Business Associate Agreements available upon request for covered entities.
RID Compliance
Approved RID CMP Sponsor (#2309) with full compliance for CEU program administration. See our RID Compliance page.
PCI DSS
Payment processing handled by Stripe (PCI DSS Level 1 certified). We never store credit card numbers directly.
AI Security (Elya)
Our AI assistant Elya is powered by Anthropic's Claude, with additional security measures:
- •Conversations are not used to train AI models
- •No personal data is stored by Anthropic
- •Elya is designed to avoid requesting PHI or confidential consumer information
- •Content filtering for harmful or inappropriate responses
- •Conversation history is encrypted and user-controlled
Responsible Disclosure
We value the security research community. If you discover a security vulnerability:
Report to:
info@buildingbridgeslearning.comPlease include:
- • Description of the vulnerability
- • Steps to reproduce
- • Potential impact assessment
- • Your contact information
We commit to acknowledging reports within 48 hours and keeping you informed of remediation progress. We do not pursue legal action against good-faith security researchers.
Security Questions?
For security inquiries, compliance documentation requests, or BAA discussions:
Security: info@buildingbridgeslearning.com
Compliance: info@buildingbridgeslearning.com