Security
Adheros V1 is intentionally non-PHI. We don't touch the data that forces you into HIPAA BAA paperwork. Below is exactly how patient data flows.
Adheros stores patient name, email, phone, and dose adherence data only. We do NOT store diagnoses, lab results, SSN, or clinical notes. HIPAA BAA is on the Scale plan when we add encrypted clinical notes.
TLS 1.3 for every request. Database is encrypted at rest via Supabase + AWS RDS standard encryption. VAPID-signed Web Push for patient notifications.
Postgres RLS policies enforce that clinic staff only see their own clinic's data, and patients only see their own records. Verified by the database, not the application layer.
Every meaningful action (patient invited, dose logged, observation reviewed, message sent, trial warning sent) writes an immutable audit_log row. Visible to clinic owners under /app/audit.
Magic-link email auth + 2FA on every clinic account. No passwords stored by Adheros. Patient invites use 256-bit random tokens that expire on accept.
Both SOC 2 Type II audited. US-region by default. Adheros itself is operated from San Antonio with zero offshore contractors touching production data.
| Field | Required? | Why |
|---|---|---|
| Patient name | Yes | To label the record. |
| Patient email | No | Send install invites and clinic messages. |
| Patient phone | No | Reference only. We never send SMS without per-message consent. |
| Date of birth | No | Optional age context for the clinician. |
| Dose log (compound, status, timestamp, site) | Yes | Core feature. Tracks adherence. |
| Symptom log (mood, energy, sleep, chips) | No | Patient self-reports. Drives AI observations. |
| Free-text symptom note | No | Optional. NEVER sent to AI providers. |
What we don't collect: SSN, insurance ID, lab results, diagnosis codes, clinical chart notes, prescription images, or any other field that would require a HIPAA BAA. If we add encrypted clinical notes on the Scale plan, you'll sign a BAA before any data flows.
Email security@adheros.health with a description of the issue and steps to reproduce. We acknowledge within 24 hours and patch critical issues within 72 hours.
We don't run a public bug bounty yet. We do thank disclosures in the repo CHANGELOG.