Patient Data Storage & Compliance
Understanding how your patient data is stored and protected
Current Architecture (v1.0 - Startup Phase)
Where Patient Data is Stored
- Patient Names: Browser IndexedDB (encrypted with AES-256-GCM)
- Patient IDs: Browser IndexedDB (encrypted)
- Clinical Notes: Browser IndexedDB (encrypted)
- Iris Images: Browser IndexedDB (encrypted)
- User Metadata: Firebase Firestore (email, subscription, teamId only)
Compliance Status
⚠️ NOT HIPAA Compliant
Patient Health Information (PHI) is stored locally in your browser
⚠️ Data Persistence Risk
Data may be lost if you clear browser cache or use a different device
⚠️ No Centralized Backup
Currently no automatic server-side backup of patient data
✅ Client-Side Encryption
All data is encrypted at rest using AES-256-GCM before storage
✅ Access Control
Subscription-gated with Firebase authentication and authorization
✅ Secure Transmission
All data transmitted over HTTPS with strict transport security
Recommendations for Current Users
Best Practices
- Use pseudonyms or initials instead of full patient names
- Avoid entering sensitive identifiers (SSN, full DOB, etc.)
- Export and save important projects externally as backup
- Use a dedicated browser profile for professional work
- Keep your device secure with password protection
Questions?
If you have specific compliance requirements or questions about our data storage practices, please contact our support team. We're happy to discuss your needs and provide additional documentation.