Security at ElderNex
We understand that you trust us with sensitive care information about your loved ones. That responsibility drives every security decision we make.
Encryption
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). Data stored in our database is encrypted at rest using AES-256 encryption provided by our cloud infrastructure.
Access Controls
We implement row-level security (RLS) policies on every database table, ensuring that users can only access data within their own household. Role-based permissions (owner, editor, viewer) provide granular control over who can view, modify, or delete care data.
Infrastructure
Our application is hosted on enterprise-grade cloud infrastructure with automated backups, high availability, and geographic redundancy. We use trusted providers (Supabase, Vercel) that maintain SOC 2 Type II compliance and undergo regular third-party security audits.
Authentication
User passwords are hashed using bcrypt with salt before storage. We support secure session management with automatic token refresh. Rate limiting protects against brute-force login attempts. Invitation links are single-use and time-limited.
Additional Security Measures
Security Headers
We enforce strict HTTP security headers including HSTS, X-Frame-Options (DENY), X-Content-Type-Options, and restrictive Permissions-Policy.
Rate Limiting
API endpoints are protected by rate limiting to prevent abuse, including login attempts, AI features, and invitation flows.
Input Validation
All user inputs are validated and sanitized on both client and server side to prevent injection attacks (XSS, SQL injection).
Signed Document URLs
Uploaded documents are served via time-limited signed URLs that expire after one hour, preventing unauthorized access.
AI Safety Controls
AI-suggested actions require explicit user approval. Destructive actions (deletions) require a separate confirmation step.
Audit Logging
AI-executed actions are logged for accountability, creating a trail of what was done, when, and by whom.
A Note About HIPAA
ElderNex is a care coordination tool designed for families. We are not a "covered entity" or "business associate" under HIPAA. While we implement robust security measures that align with industry best practices, we are not HIPAA-certified. We recommend using ElderNex as a supplementary coordination tool alongside your healthcare providers' official patient portals for storing formal medical records.
Responsible Disclosure
If you discover a security vulnerability in ElderNex, we encourage responsible disclosure. Please report security issues to us directly so we can address them promptly.
Report security issues to:
security@eldernex.comWe aim to acknowledge reports within 48 hours and resolve critical issues within 7 days.
For general privacy questions, see our Privacy Policy.