How We Protect Your Data
NeuroFlow is a multi-tenant SaaS platform serving professionals across regulated industries — real estate, mortgage, healthcare, insurance, and financial services. Security isn't a feature we added later. It is the foundation upon which every other feature is built.
Why Security Is Non-Negotiable
Every day, our platform processes and stores data that falls under some of the most stringent regulatory frameworks in the United States:
PHI — Protected Health Information
Patient records, blood panels, wellness assessments, and clinical notes governed by HIPAA.
NPI — Non-Public Personal Information
Financial records, loan details, transaction histories, and credit data governed by GLBA.
PII — Personally Identifiable Information
Contact details, identification numbers, and personal profiles governed by both frameworks and state privacy laws.
What HIPAA and GLBA Require
HIPAA requires covered entities to implement administrative, physical, and technical safeguards to protect electronic health information — including access controls, audit trails, encryption, and transmission security. Violations can result in fines up to $50,000 per incident with annual maximums of $1.5 million.
GLBA requires financial institutions to safeguard sensitive data through a written information security plan, risk assessment, access controls, encryption, activity monitoring, and incident response procedures.
Platform Architecture
NeuroFlow is built on a modern, security-conscious technology stack where each layer is chosen not just for performance, but for the security guarantees it provides.
Frontend
- React + TypeScript for compile-time safety
- Vite — optimized, minified production builds
- Netlify — SOC 2 Type II, DDoS protection, auto HTTPS
Backend
- Supabase — SOC 2, AES-256, managed PostgreSQL
- 200+ Edge Functions in Deno's sandboxed runtime
- Automated backups with point-in-time recovery
CDN & Compute
- Cloudflare Workers — global edge compute
- Enterprise DDoS mitigation and WAF
- Automatic SSL/TLS on all connections
Why Managed Infrastructure?
We rely on managed providers (Supabase, Netlify, Cloudflare) not as a shortcut — but as a security strategy. We inherit their dedicated security teams: OS patches applied within hours, 24/7 network firewalls, and SOC 2 compliance. This lets our engineering team focus entirely on application-level security — access controls, data isolation, and compliance features specific to regulated industries.
Multi-Tenant Data Isolation
The Core Challenge
Hundreds of organizations share the same database infrastructure. A brokerage in Texas, a clinic in New York, and a mortgage company in California may all have data in the same cluster. The question: how do you guarantee that Organization A can never see, modify, or even detect the existence of Organization B's data?
Many platforms solve this at the application layer — the code checks permissions before returning data. This has a fatal flaw: a single bug can expose data across organizational boundaries. NeuroFlow takes a fundamentally different approach.
Database-Level Enforcement with Row Level Security
Every table containing organizational data is protected by Row Level Security (RLS) — a PostgreSQL feature that enforces access rules at the database engine level. No matter how a query reaches the database — frontend, API, serverless function, or admin console — the database itself refuses to return unauthorized rows.
Application-Level Security (Others)
Like a locked door — someone with the right tools can pick the lock. A missing permission check or overlooked API endpoint can become a breach.
Database-Level Security (NeuroFlow)
Like a wall — data physically cannot flow to unauthorized parties. Even a critical application bug cannot leak data across organizational boundaries.
How RLS Works in Practice
Is this user a member of Organization A? — verified against the organization_members table
Does Organization A own this row? — verified against the organization_id column
Does this user have the right role for this operation? — SELECT, INSERT, UPDATE, and DELETE each have independent policies
If any check fails, the row simply does not exist from the user's perspective. No error message revealing data exists but is inaccessible — it is as if the data was never there.
Multi-Schema Architecture
Beyond row-level isolation, NeuroFlow organizes data into 20+ separate PostgreSQL schemas by domain — foundation, regulated verticals, and business modules each live in their own namespace, enabling tailored access controls and compliance policies per domain:
| Schema | Purpose | Regulatory Context |
|---|---|---|
| core | User profiles, organizations, authentication | Foundation for all access control |
| shared | CRM contacts, tasks, opportunities, projects | General business data |
| real_estate | Transactions, milestones, IDX/MLS, lead workflows | Industry-specific operations |
| mortgage | Loan processing, lending workflows | GLBA-regulated financial data |
| cre | Commercial real estate transactions and operations | Industry-specific operations |
| health | Patient records, clinical data, wellness | HIPAA-regulated PHI |
| finance | Payments, invoices, billing, cap tables | GLBA-regulated financial data |
| telecom | Carrier costs, line inventory, telecom imports | Industry-specific operations |
| sales | Sales pipelines, quotes, opportunities | General business data |
| marketing | Campaigns, automations, audiences | General business data |
| inventory | Stock, SKUs, warehouse management | General business data |
| analytics | Engagement events, metrics, reporting | Aggregated business intelligence |
| contracts | Contract templates, e-signatures, workflows | Legal documents and PII |
| licensing | License agreements and usage tracking | Industry-specific operations |
| content | Pages, articles, hyperlocal locations | General business data |
| builder | Website builder configs, templates, layouts | Industry-specific operations |
| messaging | Conversations, threads, communications | PII — communications |
| lms | Courses, lessons, training records | General business data |
| portal | Public-facing portal data, client uploads | General business data with PII |
| public | RLS helper functions and legacy utility tables | Migration / transitional namespace |
The Agency Hierarchy
NeuroFlow supports complex organizational structures. A parent brokerage might oversee branch offices, or a healthcare network might manage clinic locations. The RLS system handles this through a recursive hierarchy — enforced at the database level, not in application code — so it cannot be circumvented by a frontend bug.
Encryption and Data Protection
Encryption at Rest
All data is encrypted using AES-256 — the same standard used by the U.S. government for classified information. Data is encrypted the moment it's written to disk and decrypted only through authenticated channels.
Encryption in Transit
Every connection uses TLS 1.3 — browser-to-server, server-to-database, edge functions, and inter-service communications. HSTS headers ensure browsers never downgrade to unencrypted connections.
Document and File Security
Authentication and Access Control
Authentication Methods
- Email + password with bcrypt hashing
- Magic links for passwordless auth
- SSO for enterprise deployments
Session Management
- 7-day inactivity expiration
- Refresh token rotation on each use
- All sessions tied to user identity for audit
Role-Based Access Control
| Role | Capabilities |
|---|---|
| Owner | Full access including org deletion and billing |
| Admin | Full access except organization deletion |
| Member | Standard access to assigned modules |
| Viewer | Read-only access to permitted data |
IP Allowlisting
Restrict access to specific IP addresses or ranges. Unauthorized connections are blocked immediately, logged with source IP and timestamp, and visible to admins on the compliance dashboard.
Time-Based Access
Configurable per role — agents restricted to business hours while owners retain 24/7 access. Automatic session termination with 15/10/5-minute warning countdowns.
Audit Logging and Compliance Monitoring
Every interaction with sensitive data generates an audit record designed to satisfy both HIPAA and GLBA requirements:
| Field | Purpose |
|---|---|
| User identity | Who accessed the data |
| Organization | Which org context was active |
| Table accessed | Which data set was queried |
| Operation type | SELECT, INSERT, UPDATE, or DELETE |
| IP address | Where the request originated |
| Record count | How many records were involved |
| Data classification | PII, Financial, Health, or General |
| Timestamp | When the access occurred |
Anomaly Detection
| Anomaly | Threshold | Response |
|---|---|---|
| Excessive queries | >1,000/hour | Rate limiting + investigation |
| Multiple IPs | >3 per user | User verification |
| After-hours access | Outside configured windows | Alert + potential lockout |
| Mass data export | Unusual record counts | Immediate admin alert |
| Auth spikes | >50 failures/hour | Account lockout + investigation |
Data Retention and Purging
Permanent removal of expired records
Move to cold storage with restricted access
Remove PII while preserving data structure for analytics
API and Edge Function Security
Sandboxed Runtime
200+ Edge Functions run in Deno's secure runtime — sandboxed by default with no file system, network, or env variable access unless explicitly granted. Each function operates in isolation.
CORS Protection
Only requests from *.neuroflowapp.com are accepted in production. Unauthorized origins get 403 Forbidden. CORS validated on every request, not just preflight.
Security Headers
Every response includes Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and Referrer-Policy headers protecting against XSS, MIME sniffing, and downgrade attacks.
Rate Limiting
Sliding window algorithm tracking frequency per user and IP. Configurable thresholds per endpoint with standard 429 responses and Retry-After headers. All events logged.
HIPAA and GLBA Compliance
HIPAA Compliance
- Technical (§164.312) — RLS access controls, PHI audit logging, database integrity, TLS 1.3 transmission
- Administrative (§164.308) — Security operations guide, incident response, workforce access management
- Physical (§164.310) — SOC 2 Type II providers with biometric access, 24/7 surveillance
- Dedicated health schema — PHI in separate logical space with HIPAA-specific access policies
- BAA support — via Supabase Enterprise tier
GLBA Compliance
- Security Program — Written policies, continuous risk assessment, role-based access reviews
- Access Controls — Financial data in finance/mortgage schemas, classified audit logs, IP/time restrictions
- Provider Oversight — SOC 2 infrastructure, TLS 1.3 everywhere, signed URLs only
- Incident Response — Detection, assessment, containment, eradication, recovery, lessons learned
Continuous Security and Incident Response
Daily
- Review suspicious access alerts
- Monitor failed auth attempts
- Verify RLS on all tables
- Check backup and compliance scores
Weekly
- Audit user roles and permissions
- Review anomaly detection alerts
- Remove inactive accounts
- Generate compliance reports
Ongoing
- Security audits of new code
- Vulnerability discovery and remediation
- Provider advisory monitoring
- Dev team security enforcement
Incident Response Framework
Security by Design
NeuroFlow's security is not a feature list — it is an architectural philosophy. Every design decision reflects a single principle: data isolation and protection must be guaranteed by the system itself, not dependent on the absence of bugs.
Database-Level Enforcement
RLS means even a critical app bug cannot leak data across organizations.
Schema Isolation by Regulation
HIPAA and GLBA data live in separate schemas with tailored policies.
Defense in Depth
Security at every layer — network, infrastructure, database, application, and operations.
Audit Everything
Every data access logged with detail to satisfy HIPAA and GLBA requirements.
Managed Infrastructure
SOC 2 providers handle infrastructure security while we focus on application-level protections.
Continuous Vigilance
Daily monitoring, weekly audits, and structured incident response.
Built for Regulated Industries. Secured by Design.
For organizations handling sensitive data, NeuroFlow provides not just a software platform, but a security framework designed from the ground up to meet regulatory obligations.
Apply to Partner