Skip to main content
    Security Framework

    How We Protect Your Data

    NeuroFlow is a multi-tenant SaaS platform serving professionals across regulated industries — real estate, mortgage, healthcare, insurance, and financial services. Security isn't a feature we added later. It is the foundation upon which every other feature is built.

    HIPAA
    Health Data
    GLBA
    Financial Data
    AES-256
    Encryption at Rest
    TLS 1.3
    Encryption in Transit

    Why Security Is Non-Negotiable

    Every day, our platform processes and stores data that falls under some of the most stringent regulatory frameworks in the United States:

    PHI — Protected Health Information

    Patient records, blood panels, wellness assessments, and clinical notes governed by HIPAA.

    NPI — Non-Public Personal Information

    Financial records, loan details, transaction histories, and credit data governed by GLBA.

    PII — Personally Identifiable Information

    Contact details, identification numbers, and personal profiles governed by both frameworks and state privacy laws.

    What HIPAA and GLBA Require

    HIPAA requires covered entities to implement administrative, physical, and technical safeguards to protect electronic health information — including access controls, audit trails, encryption, and transmission security. Violations can result in fines up to $50,000 per incident with annual maximums of $1.5 million.

    GLBA requires financial institutions to safeguard sensitive data through a written information security plan, risk assessment, access controls, encryption, activity monitoring, and incident response procedures.

    Platform Architecture

    NeuroFlow is built on a modern, security-conscious technology stack where each layer is chosen not just for performance, but for the security guarantees it provides.

    Frontend

    • React + TypeScript for compile-time safety
    • Vite — optimized, minified production builds
    • Netlify — SOC 2 Type II, DDoS protection, auto HTTPS

    Backend

    • Supabase — SOC 2, AES-256, managed PostgreSQL
    • 200+ Edge Functions in Deno's sandboxed runtime
    • Automated backups with point-in-time recovery

    CDN & Compute

    • Cloudflare Workers — global edge compute
    • Enterprise DDoS mitigation and WAF
    • Automatic SSL/TLS on all connections

    Why Managed Infrastructure?

    We rely on managed providers (Supabase, Netlify, Cloudflare) not as a shortcut — but as a security strategy. We inherit their dedicated security teams: OS patches applied within hours, 24/7 network firewalls, and SOC 2 compliance. This lets our engineering team focus entirely on application-level security — access controls, data isolation, and compliance features specific to regulated industries.

    Multi-Tenant Data Isolation

    The Core Challenge

    Hundreds of organizations share the same database infrastructure. A brokerage in Texas, a clinic in New York, and a mortgage company in California may all have data in the same cluster. The question: how do you guarantee that Organization A can never see, modify, or even detect the existence of Organization B's data?

    Many platforms solve this at the application layer — the code checks permissions before returning data. This has a fatal flaw: a single bug can expose data across organizational boundaries. NeuroFlow takes a fundamentally different approach.

    Database-Level Enforcement with Row Level Security

    Every table containing organizational data is protected by Row Level Security (RLS) — a PostgreSQL feature that enforces access rules at the database engine level. No matter how a query reaches the database — frontend, API, serverless function, or admin console — the database itself refuses to return unauthorized rows.

    Application-Level Security (Others)

    Like a locked door — someone with the right tools can pick the lock. A missing permission check or overlooked API endpoint can become a breach.

    Database-Level Security (NeuroFlow)

    Like a wall — data physically cannot flow to unauthorized parties. Even a critical application bug cannot leak data across organizational boundaries.

    How RLS Works in Practice

    1

    Is this user a member of Organization A? — verified against the organization_members table

    2

    Does Organization A own this row? — verified against the organization_id column

    3

    Does this user have the right role for this operation? — SELECT, INSERT, UPDATE, and DELETE each have independent policies

    If any check fails, the row simply does not exist from the user's perspective. No error message revealing data exists but is inaccessible — it is as if the data was never there.

    Multi-Schema Architecture

    Beyond row-level isolation, NeuroFlow organizes data into 20+ separate PostgreSQL schemas by domain — foundation, regulated verticals, and business modules each live in their own namespace, enabling tailored access controls and compliance policies per domain:

    SchemaPurposeRegulatory Context
    coreUser profiles, organizations, authenticationFoundation for all access control
    sharedCRM contacts, tasks, opportunities, projectsGeneral business data
    real_estateTransactions, milestones, IDX/MLS, lead workflowsIndustry-specific operations
    mortgageLoan processing, lending workflowsGLBA-regulated financial data
    creCommercial real estate transactions and operationsIndustry-specific operations
    healthPatient records, clinical data, wellnessHIPAA-regulated PHI
    financePayments, invoices, billing, cap tablesGLBA-regulated financial data
    telecomCarrier costs, line inventory, telecom importsIndustry-specific operations
    salesSales pipelines, quotes, opportunitiesGeneral business data
    marketingCampaigns, automations, audiencesGeneral business data
    inventoryStock, SKUs, warehouse managementGeneral business data
    analyticsEngagement events, metrics, reportingAggregated business intelligence
    contractsContract templates, e-signatures, workflowsLegal documents and PII
    licensingLicense agreements and usage trackingIndustry-specific operations
    contentPages, articles, hyperlocal locationsGeneral business data
    builderWebsite builder configs, templates, layoutsIndustry-specific operations
    messagingConversations, threads, communicationsPII — communications
    lmsCourses, lessons, training recordsGeneral business data
    portalPublic-facing portal data, client uploadsGeneral business data with PII
    publicRLS helper functions and legacy utility tablesMigration / transitional namespace

    The Agency Hierarchy

    NeuroFlow supports complex organizational structures. A parent brokerage might oversee branch offices, or a healthcare network might manage clinic locations. The RLS system handles this through a recursive hierarchy — enforced at the database level, not in application code — so it cannot be circumvented by a frontend bug.

    Encryption and Data Protection

    Encryption at Rest

    All data is encrypted using AES-256 — the same standard used by the U.S. government for classified information. Data is encrypted the moment it's written to disk and decrypted only through authenticated channels.

    Encryption in Transit

    Every connection uses TLS 1.3 — browser-to-server, server-to-database, edge functions, and inter-service communications. HSTS headers ensure browsers never downgrade to unencrypted connections.

    Document and File Security

    Private Storage Buckets — No publicly accessible URLs for any uploaded file. Storage is private by default.
    Organization-Scoped Paths — Files stored in paths prefixed by organization ID, enabling storage-level RLS policies.
    Signed URLs — Cryptographically signed URLs expire after one hour. They cannot be forged, shared meaningfully, or reused.
    No Sensitive Metadata — File paths use timestamps and random suffixes — never patient names, account numbers, or identifying information.

    Authentication and Access Control

    Authentication Methods

    • Email + password with bcrypt hashing
    • Magic links for passwordless auth
    • SSO for enterprise deployments

    Session Management

    • 7-day inactivity expiration
    • Refresh token rotation on each use
    • All sessions tied to user identity for audit

    Role-Based Access Control

    RoleCapabilities
    OwnerFull access including org deletion and billing
    AdminFull access except organization deletion
    MemberStandard access to assigned modules
    ViewerRead-only access to permitted data

    IP Allowlisting

    Restrict access to specific IP addresses or ranges. Unauthorized connections are blocked immediately, logged with source IP and timestamp, and visible to admins on the compliance dashboard.

    Time-Based Access

    Configurable per role — agents restricted to business hours while owners retain 24/7 access. Automatic session termination with 15/10/5-minute warning countdowns.

    Audit Logging and Compliance Monitoring

    Every interaction with sensitive data generates an audit record designed to satisfy both HIPAA and GLBA requirements:

    FieldPurpose
    User identityWho accessed the data
    OrganizationWhich org context was active
    Table accessedWhich data set was queried
    Operation typeSELECT, INSERT, UPDATE, or DELETE
    IP addressWhere the request originated
    Record countHow many records were involved
    Data classificationPII, Financial, Health, or General
    TimestampWhen the access occurred

    Anomaly Detection

    AnomalyThresholdResponse
    Excessive queries>1,000/hourRate limiting + investigation
    Multiple IPs>3 per userUser verification
    After-hours accessOutside configured windowsAlert + potential lockout
    Mass data exportUnusual record countsImmediate admin alert
    Auth spikes>50 failures/hourAccount lockout + investigation

    Data Retention and Purging

    Delete

    Permanent removal of expired records

    Archive

    Move to cold storage with restricted access

    Anonymize

    Remove PII while preserving data structure for analytics

    API and Edge Function Security

    Sandboxed Runtime

    200+ Edge Functions run in Deno's secure runtime — sandboxed by default with no file system, network, or env variable access unless explicitly granted. Each function operates in isolation.

    CORS Protection

    Only requests from *.neuroflowapp.com are accepted in production. Unauthorized origins get 403 Forbidden. CORS validated on every request, not just preflight.

    Security Headers

    Every response includes Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and Referrer-Policy headers protecting against XSS, MIME sniffing, and downgrade attacks.

    Rate Limiting

    Sliding window algorithm tracking frequency per user and IP. Configurable thresholds per endpoint with standard 429 responses and Retry-After headers. All events logged.

    HIPAA and GLBA Compliance

    HIPAA Compliance

    • Technical (§164.312) — RLS access controls, PHI audit logging, database integrity, TLS 1.3 transmission
    • Administrative (§164.308) — Security operations guide, incident response, workforce access management
    • Physical (§164.310) — SOC 2 Type II providers with biometric access, 24/7 surveillance
    • Dedicated health schema — PHI in separate logical space with HIPAA-specific access policies
    • BAA support — via Supabase Enterprise tier

    GLBA Compliance

    • Security Program — Written policies, continuous risk assessment, role-based access reviews
    • Access Controls — Financial data in finance/mortgage schemas, classified audit logs, IP/time restrictions
    • Provider Oversight — SOC 2 infrastructure, TLS 1.3 everywhere, signed URLs only
    • Incident Response — Detection, assessment, containment, eradication, recovery, lessons learned

    Continuous Security and Incident Response

    Daily

    • Review suspicious access alerts
    • Monitor failed auth attempts
    • Verify RLS on all tables
    • Check backup and compliance scores

    Weekly

    • Audit user roles and permissions
    • Review anomaly detection alerts
    • Remove inactive accounts
    • Generate compliance reports

    Ongoing

    • Security audits of new code
    • Vulnerability discovery and remediation
    • Provider advisory monitoring
    • Dev team security enforcement

    Incident Response Framework

    1. Detection
    2. Assessment
    3. Containment
    4. Eradication
    5. Recovery
    6. Lessons Learned

    Security by Design

    NeuroFlow's security is not a feature list — it is an architectural philosophy. Every design decision reflects a single principle: data isolation and protection must be guaranteed by the system itself, not dependent on the absence of bugs.

    Database-Level Enforcement

    RLS means even a critical app bug cannot leak data across organizations.

    Schema Isolation by Regulation

    HIPAA and GLBA data live in separate schemas with tailored policies.

    Defense in Depth

    Security at every layer — network, infrastructure, database, application, and operations.

    Audit Everything

    Every data access logged with detail to satisfy HIPAA and GLBA requirements.

    Managed Infrastructure

    SOC 2 providers handle infrastructure security while we focus on application-level protections.

    Continuous Vigilance

    Daily monitoring, weekly audits, and structured incident response.

    Built for Regulated Industries. Secured by Design.

    For organizations handling sensitive data, NeuroFlow provides not just a software platform, but a security framework designed from the ground up to meet regulatory obligations.

    Apply to Partner