Infrastructure
- Hosting: Netlify CDN with global edge nodes and automatic HTTPS
- Database: Supabase (PostgreSQL) with encrypted storage at rest and in transit
- Payments: Stripe — EDNA never stores payment card data
- Email: Resend on dedicated subdomain (mail.ednaknows.com)
Authentication
- Magic link and password-based authentication via Supabase Auth
- All sessions secured with JWT tokens with automatic expiry
- Passwords hashed using bcrypt — never stored in plaintext
- Row-Level Security (RLS) enforced on all database tables — users can only access their own data
Data Protection
- All data encrypted in transit via TLS 1.2+
- Credential documents stored in encrypted object storage with signed URL access
- DEA numbers masked in employer views — never exposed to unauthorized parties
- Employer cross-visibility blocked by design — employers cannot see your activity at other facilities
HIPAA Readiness
EDNA is designed with HIPAA technical safeguards in mind:
- Access controls and audit logging
- Minimum necessary data exposure principles
- Business Associate Agreements (BAAs) available for covered entities
- Breach notification procedures in place per HIPAA requirements
Monitoring & Incident Response
- Continuous uptime monitoring via Netlify Analytics
- Automated OIG/SAM.gov screening runs monthly
- Security incidents disclosed to affected users within 60 days per HIPAA requirements
- Hospital partners notified immediately upon any incident affecting their provider data
Responsible Disclosure
If you discover a security vulnerability in EDNA, please report it to security@ednaknows.com. We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities promptly.
Questions about security or to request a BAA: security@ednaknows.com