Security at Oystercatcher.
We take the security of your data seriously. Here's how we protect it.
Encryption
Data is encrypted at rest (AES-256) and in transit (TLS). Keys are managed with AWS KMS.
Access Controls
Role-based access control, SSO via Google and Microsoft, and enforced MFA for Oystercatcher administrative access.
Infrastructure
Hosted on AWS with VPC isolation, private subnets for data stores, and multi-AZ redundancy.
Monitoring
Continuous automated infrastructure and application monitoring with real-time alerting.
Tenant Isolation
Organization-scoped access controls and query scoping prevent cross-tenant data access.
No PHI
Oystercatcher does not collect, store, or process protected health information (PHI).
Data Protection
Encryption
- At Rest: Databases and object storage are encrypted at rest (AES-256); server-side encryption is enforced programmatically on all object uploads, with AWS KMS keys for sensitive data classes
- In Transit: All connections use TLS with modern cipher suites
- Key Management: Encryption keys are managed using AWS KMS
- Time-limited access: Generated file-download links expire automatically (four hours maximum)
Data Isolation
Each customer's data is logically isolated using organization-level access controls. Database queries are scoped to prevent cross-tenant data access.
What we do not hold
Oystercatcher does not collect, store, or process protected health information (PHI) or patient data. Our platform contains professional information about healthcare providers compiled from public sources. Because we do not handle PHI, use of the Service does not generally create a HIPAA business associate relationship. If you believe your use case involves PHI, contact us before proceeding — do not submit PHI to the Service.
Application Security
Authentication
- Secure password storage using bcrypt hashing
- Single sign-on via Google and Microsoft (OAuth 2.0 with PKCE)
- Multi-factor authentication (TOTP) enforced for Oystercatcher administrative access
- Session management with secure token handling
- Rate limiting and account protection on authentication endpoints
Authorization
- Role-based access control (owner, admin, member, viewer)
- Granular permissions for team members
- Audit logging of administrative access and changes, retained for two years
Secure Development
- Code reviews required for all changes
- Automated linting and test gates in CI for backend, frontend, and infrastructure changes
- Regular dependency updates and vulnerability patching
- Internal security assessments, with findings tracked to remediation
- Personally identifying fields are masked in application logs
Infrastructure Security
Cloud Infrastructure
- Hosted on Amazon Web Services (AWS)
- VPC network isolation with security groups and network ACLs
- Private subnets for databases and internal services
- Secrets stored in AWS Secrets Manager — never in code or images
Availability and Resilience
- Multi-availability-zone database deployment with automated failover
- Regular backups with point-in-time recovery
- Contractual uptime commitments and service credits are set out in our Service Level Agreement, which applies to Growth and Enterprise subscriptions
Operational Security
Monitoring
- Continuous automated infrastructure monitoring and alerting (AWS CloudWatch)
- Application error monitoring (Sentry)
- Centralized logging and analysis
Incident Response
- Documented incident response plan with defined roles and severity levels
- Incident classification and escalation paths
- Post-incident reviews and remediation
- Customer notification without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting customer data, per our Data Processing Agreement
Compliance
- U.S. state privacy law (CCPA/CPRA and others): Data Processing Agreement with service-provider terms; see our Privacy Policy and Your Privacy Choices
- Subprocessors: Published at our subprocessor list with advance notice of changes
- SOC 2: Not yet certified. We are building our control environment toward a future SOC 2 examination; contact us for current security documentation
- HIPAA: Not applicable to the Service — we do not process PHI (see above)
Responsible Disclosure
If you discover a security vulnerability, please report it to [email protected] under our Vulnerability Disclosure Policy, which authorizes good-faith security research within its rules of engagement. Our security.txt is also published.
Questions?
For security-related questions or to request additional documentation, contact us at [email protected].