Roles

ADMIN · MANAGER · AGENT · READONLY. Capabilities are declared centrally in src/core/rbac.ts. Capability checks happen at every service entry point — the UI cannot grant access the service refuses.

Per-record sharing

ContactShare records grant a specific user READ or WRITE on a specific contact. AGENTs see what they own plus what's shared with them. WRITE shares grant edit access. Sharing actions are audit-logged.

Field-level permissions (Enterprise)

On Enterprise, properties can be tagged with read/write role gates. A field tagged ADMIN-only is invisible to AGENTs — both in the UI and through the API.

Service accounts

Automation runs as a service account with a scoped token. Three reference agents ship with the repo (patient-followup, new-patient-campaign, contact-enrichment). Every action audit-logs as actorKind='agent'.

MFA

TOTP-based MFA with recovery codes, available on every tier. Enrollment lives in /app/settings; enforcement happens at login via short-lived MfaChallenge rows. Recovery codes are hashed at rest.

OIDC SSO

Microsoft and Google OIDC on Pro and Enterprise. SAML on request for Enterprise customers with another IdP. SSO can be enforced (password-disabled) per workspace.

Sessions

Server-side Session rows keyed by an opaque cookie (hn_session). 8-hour idle TTL by default. The patient portal runs on a separate PortalSession table and cookie (hn_portal_session) so a staff compromise can't impersonate a patient and vice versa.

Password policy

bcrypt (cost 12) for hashing. Minimum 12 characters, breach-list check on signup (k-anonymity API). Rate-limited login by IP + email.

Detection

Application logs ship to a separate observability tenant with anomaly detection on auth, audit-row patterns, and rate-limit signals. PHI is redacted at the log boundary.

Notification

On a confirmed PHI-impacting incident, we contact every affected tenant's designated Security Officer within 24 hours. Notification includes scope, suspected cause, and immediate mitigations.

Forensics

Post-incident review within 72 hours: root cause, timeline, contributing factors, and concrete remediation steps. The full review is shared with affected customers.

HIPAA Breach Notification

If the incident meets HIPAA's breach notification threshold, we coordinate with each covered entity to meet the 60-day deadline for HHS and affected-individual notification. We do not notify on your behalf — that's the covered entity's responsibility — but we provide the evidence package within 5 business days.

ContactFollowUp provides

Field-level PHI encryption · immutable audit log · RBAC + per-record sharing · MFA + SSO · service-account model · BAA + subprocessor management UI · signed BAA with the covered customer · incident response posture · TLS in transit · data export on demand.

You provide

A signed BAA with each downstream subprocessor you use (we surface a UI to track them) · customer-managed encryption keys stored in Key Vault / Secrets Manager · network restrictions appropriate to your tenant (private networking, IP allow-lists) · a designated Security Officer and incident-response process · workforce training and access reviews.