ProcDoc
Sign in

Security Overview

Version 1.0 · Effective May 28, 2026

Identity & access

  • Authentication is handled by Neon Auth (Better Auth under the hood) using HTTPS-only, HttpOnly cookies. Sessions auto-refresh and can be revoked at any time from Settings → Profile → Sessions.
  • Passwords are hashed with an industry-standard slow KDF; we never store plaintext. Account recovery is via email.
  • Multi-factor authentication is on the roadmap.

Data in transit and at rest

  • Every connection — browser to app, app to database — is TLS 1.2+ encrypted. We don’t accept HTTP traffic.
  • Application data lives in Neon Postgres (AWS us-west-2), encrypted at rest with AES-256.
  • Neon provides continuous backup with point-in-time recovery within the project’s retention window. Branching gives us cheap, isolated rollbacks before risky migrations.

Database isolation (row-level security)

  • Every user-facing table has Row-Level Security enabled. A signed-in user can only read or write rows they own; cross-user access is structurally impossible at the database layer, not just enforced in application code.
  • App traffic reaches Postgres through the Neon Data API (PostgREST) with a signed JWT minted by Neon Auth, so RLS sees the user’s identity on every query.
  • Sensitive flags (subscription tier, billing IDs, soft-delete timestamps, referral code, lifetime-grant timestamps) are protected by additional triggers that reject direct user updates. Only the server-side webhook and admin paths can change them.
  • Admin and system tasks use a separate Postgres role with bypass privileges, only reachable from server-side code — never exposed to the browser.

PHI policy

ProcDoc is not a system of record for protected health information. Free-text fields are intended for procedural notes only — not patient names, MRNs, DOBs, or any other identifier that could re-identify a real person. See our PHI Notice for the full policy.

Payments

  • All billing is processed by Stripe. ProcDoc never sees raw card numbers; Stripe tokenizes everything and we store only the customer and subscription IDs.
  • Webhook deliveries are HMAC-verified before any state change, and subscription writes go through the admin role so they can’t be forged from the client.

Vendors & subprocessors

  • Neon — Postgres + Neon Auth + Neon Data API. SOC 2 Type II.
  • Vercel — application hosting, edge network, image optimization.
  • Stripe — payment processing. PCI DSS Level 1.
  • Resend — transactional email delivery.
  • Cloudflare Turnstile — bot detection on signup and sign-in.
  • Sentry + PostHog — error monitoring and product analytics. PII is scrubbed before send.

Our Privacy Policy has the full list and the data we share with each.

Disclosure

Found a security issue? security@procdoc.app — please give us a reasonable window to fix before public disclosure, and we’ll credit you in our changelog if you’d like.

Confirm