Security

Vigil is designed for healthcare environments with strict security and compliance requirements.

Data Protection

Encryption

Data State	Encryption
In transit	TLS 1.3
At rest	AES-256
Backups	AES-256

All network communication uses HTTPS. Database storage and backups are encrypted.

Access Control

Row Level Security (RLS) ensures data isolation:

Staff only access their facility's data
Role-based access controls limit functionality
API keys scoped to specific devices

Authentication:

Password-based with configurable requirements
Optional SSO via SAML (Okta, Azure AD)
Session management with secure tokens
Automatic session expiration

Audit Logging

All access to patient data is logged:

Who accessed what
When access occurred
What action was taken (read, write, delete)

Logs retained per facility retention policy (minimum 7 years).

HIPAA Compliance

Vigil supports HIPAA compliance:

Technical Safeguards

✓ Access controls (unique user IDs, role-based access)
✓ Audit controls (comprehensive logging)
✓ Integrity controls (data validation, checksums)
✓ Transmission security (TLS encryption)

Administrative Safeguards

✓ Business Associate Agreement (BAA) with Supabase
✓ Workforce training resources
✓ Incident response procedures
✓ Risk assessments

Physical Safeguards

Supabase infrastructure provides:

✓ Facility access controls
✓ Workstation security
✓ Device and media controls

Credential Management

User Passwords

Minimum 8 characters
Complexity requirements (uppercase, lowercase, numbers)
Passwords hashed with bcrypt
Never stored in plain text
Never logged

API Keys

Generated with cryptographic randomness
Stored hashed (cannot be retrieved)
Scoped to specific devices
Rotatable without downtime

EMR Credentials

Client secrets encrypted at rest
Never logged or displayed
Separate storage from general data
Access limited to IT admins

Network Security

Firewall

Only HTTPS (443) exposed publicly
Internal services use private networking
Sensor hubs connect via outbound HTTPS only

IP Allowlisting

Available for enterprise deployments:

Restrict API access to known IPs
EMR webhook filtering
Admin console access control

DDoS Protection

Rate limiting on all endpoints
Cloud provider DDoS mitigation
Automatic scaling under load

Vulnerability Management

Code Security

Static analysis (Semgrep) in CI/CD
Dependency scanning (npm audit)
No medium+ severity findings allowed
Regular security reviews

Penetration Testing

Annual third-party penetration tests
Findings remediated within SLA
Test reports available to customers

Incident Response

Detection: Automated monitoring and alerting
Containment: Isolate affected systems
Eradication: Remove threat
Recovery: Restore normal operations
Lessons Learned: Post-incident review

Customers notified within 72 hours of confirmed breaches.

Data Retention

Data Type	Active	Archive	Total
Observations	1 year	6 years	7 years
Alerts	1 year	6 years	7 years
Vitals	1 year	6 years	7 years
Assessments	1 year	6 years	7 years
Audit logs	1 year	6 years	7 years
Sensor events	90 days	—	90 days

Configurable per facility based on regulatory requirements.

Compliance Certifications

Current

HIPAA (Business Associate Agreement)
SOC 2 Type II (via Supabase)

Roadmap

HITRUST CSF
ISO 27001

Security Contacts

Report security vulnerabilities to:

Email: security@vigilhealth.app

We follow responsible disclosure practices and acknowledge reports within 48 hours.

Data Protection​

Encryption​

Access Control​

Audit Logging​

HIPAA Compliance​

Technical Safeguards​

Administrative Safeguards​

Physical Safeguards​

Credential Management​

User Passwords​

API Keys​

EMR Credentials​

Network Security​

Firewall​

IP Allowlisting​

DDoS Protection​

Vulnerability Management​

Code Security​

Penetration Testing​

Incident Response​

Data Retention​

Compliance Certifications​

Current​

Roadmap​

Security Contacts​