Authentication layer
Central account session + role-specific portal sessions with passkey and password support.
Security
Security boundaries built for healthcare operations
Access is explicit, scoped, and auditable. AI operations stay backend-managed with no client-exposed provider secrets.
Consent scope model
Patient approval governs data domains, purpose, and duration on every doctor access request.
Integrity and audit
Sensitive events are hash-chained and exportable for traceability and verification workflows.
Server-side AI keys
Provider credentials never reach browser clients; all synthesis requests pass backend checks.
Rate control
Patient and clinician AI routes are bounded with explicit per-hour limits for safe operations.
Operational safeguards
CORS/WebAuthn origin controls, migration discipline, and monitored auth/audit service logs.
AI Boundary
No client keys. No silent trust assumptions.
Role-specific synthesis routes enforce session and consent context before model invocation.
That keeps privacy and accountability aligned with clinical decision-making needs.
Session and role checks first
All protected routes verify account context before returning data.
Consent enforced in backend
Shared bundles are filtered according to active consent scope and expiry.
Verifiable audit exports
Export signatures provide tamper-evident evidence for review and compliance.
Trust Review