Security

How we secure your patients' files

Plain-English summary of the controls in production.

Encryption at rest

Every uploaded file is encrypted at rest with AES-256-GCM using server-side encryption powered by AWS Key Management Service (SSE-KMS). The encryption key is a customer-managed CMK in our AWS account, not a shared AWS-managed key. Each S3 object receives a unique data encryption key derived from the CMK via S3 Bucket Keys, so the compromise of any one DEK affects exactly one transfer.

Bucket policy denies any upload that does not present the correct SSE-KMS header for our CMK, and denies any S3 API call made over plain HTTP. Encryption is not optional and is not enforced only client-side — three independent layers prevent plaintext from landing.

Encryption in transit

All traffic to and from Humenis uses TLS 1.3. Strict Transport Security is enforced with a 2-year max-age, includeSubDomains, and preload. Browsers refuse downgrades to plain HTTP for the domain.

Two-factor recipient authentication

Possessing the recipient's download link is not enough to access a file. When a recipient opens the link, they must request a one-time numeric code, which is delivered to the recipient email and is valid for ten minutes. The platform allows at most five verification attempts per code; after that, a fresh code must be requested.

Auto-deletion

The application deletes the S3 object immediately once the recipient's download stream completes. If the application ever fails to delete (process crash, network blip, bug), an S3 lifecycle policy deletes every object after 24 hours regardless. This is a hard guarantee at the storage layer, independent of the application.

Audit trail

Every significant event is appended to an audit log: transfer creation, upload completion, recipient code requested, code verified, code failed, file downloaded, file deleted. Each row captures the actor, the IP address, the user-agent string, and a timestamp. The log is retained for 7 years in keeping with PIPEDA's accountability principle, and is append-only by convention.

Data residency

All file payloads, transfer metadata, account information, and audit logs are stored in AWS ca-central-1 (Montreal). We do not replicate any of this data outside Canada.

Two sub-processors operate from outside Canada and receive only non-file metadata:

  • Resend (transactional email) — receives recipient + sender email addresses, patient names in body, and one-time codes
  • Stripe (billing) — receives payment details and account email

Identity and access

Passwords are hashed with argon2id (memory 19 MiB, two iterations, single thread — OWASP 2024 baseline). Email verification is required before the dashboard unlocks. Password reset uses single-use tokens with one-hour expiry.

Backend AWS access is via a least-privilege IAM principal scoped to a single bucket and a single KMS key. The IAM policy grants no wildcards, no “*” resources, no admin actions. The roadmap calls for migrating this to OIDC-based role assumption from Vercel so that no long-lived access keys exist at all.

Application hardening

  • Content Security Policy restricts script origins, inline form submissions, and connection targets (notably: outbound XHR is allow-listed to *.s3.ca-central-1.amazonaws.com only)
  • frame-ancestors 'none' + X-Frame-Options DENY — Humenis is never embeddable
  • Anti-enumeration on auth endpoints (forgot-password returns the same response for known and unknown emails; sign-in runs a dummy hash check for non-existent accounts to equalize timing)
  • Per-transfer rate limits on download code requests (5 per transfer per hour)
  • All input validated server-side, including MIME-type allow-list (DICOM, PDF, JPEG, PNG) and 5 GB file cap

Compliance posture

Humenis is built specifically for the Canadian regulatory environment.

  • PIPEDA — federal baseline for personal information handling
  • Quebec Law 25 — additional consent, breach notification, and Privacy Officer requirements for transfers involving Quebec residents
  • Provincial health-information statutes (PHIPA in Ontario, HIA in Alberta, etc.) — applicable to the dental clinic as the custodian; Humenis provides the technical safeguards needed to support clinic compliance

We are not HIPAA-regulated (we operate in Canada, not the United States) and do not offer a Business Associate Agreement.

Responsible disclosure

If you believe you've found a security vulnerability, please email security@dentalvault.ca with details and reproduction steps. We commit to acknowledging reports within 48 hours and to working in good faith with researchers acting in good faith — we will not pursue legal action against research that:

  • Does not access, modify, or destroy other users' data
  • Does not degrade the service for other users
  • Does not publicly disclose the issue before we've had a reasonable opportunity to remediate

Incident response

In the event of a confidentiality incident involving personal information, we will:

  1. Contain the incident and preserve evidence
  2. Notify affected individuals and the applicable supervisory authority (OPC under PIPEDA; CAI under Law 25) as soon as feasible after determining a real risk of significant harm
  3. Conduct a post-incident review and publish a redacted summary