Skip to main content
Trust · Security + compliance posture

What's live today vs. what's gated on the first signed partner.

This page reads from the same controls inventory engineering uses internally. It's honest about the phase: most controls in the "Design partner" column are scheduled for the pilot deployment, not implemented yet. The "Production" column is everything we expect to ship before a paid customer.

16
Live in demo
17
Gated on design partner
4
Pre-production roadmap
Network + Transport

Edge security

  • Live
    TLS 1.3 (HTTPS-only)
    All adkinslabs.dev traffic enforced via Vercel HSTS preload.
  • Live
    HTTP/2
    Default on Vercel edge.
  • Live
    Strict-Transport-Security header
    Set by Next.js config; 2-year max-age.
  • Design partner
    Content-Security-Policy
    Lockdown CSP planned for pilot phase.
  • Production
    Web Application Firewall
    Vercel Firewall rules configured pre-launch.
Authentication + Session

Access control

  • Live
    bcrypt password hashing (cost 10)
    No plaintext passwords stored.
  • Live
    JWT in HttpOnly · Lax · Secure cookies
    jose-signed HS256, 24h TTL.
  • Live
    Auth rate limiting (IP + email)
    20 attempts / IP / 15 min · 5 attempts / email / 15 min.
  • Live
    CSRF double-submit cookie pattern
    pneuma_csrf cookie + x-csrf-token header for state-changing requests.
  • Live
    Multi-tenant strict isolation
    Every query scoped by tenant_id; null-tenant rejected by middleware.
  • Design partner
    MFA / WebAuthn for clinical staff
    Required by JCI MOI.2 — Phase 3 build.
  • Production
    SSO (SAML / OIDC)
    Per-hospital identity provider integration.
Data Protection

At-rest + in-transit

  • Live
    AES-256-GCM PII column encryption
    passport_number encrypted with iv:tag:ciphertext envelope.
  • Live
    Full-disk encryption (Neon Postgres)
    Storage-layer encryption provided by Neon.
  • Design partner
    Tenant-scoped key derivation (HKDF)
    Per-tenant keys derived from master + tenant_id.
  • Design partner
    Encryption key rotation
    Versioned keys with re-encryption migration on rotation.
  • Design partner
    PII redaction in logs
    pino-http with redact paths on all routes.
Audit + Compliance

PDPA + JCI alignment

  • Live
    Auth event audit log (every login attempt)
    auth_audit_event table; insert per success/failure/logout/rate-limit/csrf.
  • Design partner
    PHI access audit log
    Per-row read logging on all dashboard queries.
  • Design partner
    PDPA consent ledger
    Append-only consent + withdrawal endpoint; UI capture flow.
  • Design partner
    PDPA RTBF (right-to-be-forgotten) processor
    Async deletion request worker, statutory grace period.
  • Design partner
    PDPA retention sweep
    Daily cron deleting records past statutory retention.
  • Production
    Tamper-evident audit log (append-only enforcement)
    DB triggers prevent UPDATE/DELETE on audit table.
  • Production
    SOC 2 Type II
    Estimated 18-month roadmap; tracking via Drata or Vanta.
Reliability

Operations + uptime

  • Live
    Health check endpoint
    GET /api/health returns DB liveness + commit SHA.
  • Live
    Automated daily DB backups
    Neon point-in-time recovery (7-day window on free tier; 30d on prod plan).
  • Live
    CI/CD on git push
    Vercel auto-deploy from main branch.
  • Design partner
    Structured logging (pino)
    Replace ad-hoc console.log with structured JSON.
  • Design partner
    External error tracking (Sentry)
    Sentry integration for runtime exception capture.
  • Design partner
    Uptime monitoring + alerting
    External pinger (Better Uptime / Pingdom) with on-call rotation.
  • Design partner
    Staging environment
    Separate Vercel environment with isolated DB.
  • Design partner
    Documented DR runbook
    See docs/DR_RUNBOOK.md (in repo).
Data Residency

Where data lives

  • Live
    TLS 1.3 in transit (global)
    Vercel edge network.
  • Live
    Demo data: Neon us-east-1
    Demo environment — no real patient data; geography is fine.
  • Design partner
    Patient data: Bangkok or Singapore
    Azure Thailand North if GA; Neon ap-southeast-1 (Singapore) as documented PDPA-disclosed interim.
  • Design partner
    Cross-border transfer consent
    Per-patient PDPA consent with explicit purpose (home_country_pcp_share).
  • Design partner
    DPA with Neon / Vercel / sub-processors
    Pre-pilot signing of all vendor data processing agreements.

Want the full controls roadmap?

docs/ENTERPRISE_READINESS.md in the repo has the timeline, the gap analysis, and the order of operations. Available on request under NDA.

Request the roadmap