Security

Your data, protected

At Vitaris, security is not an afterthought — it is foundational to everything we build. We handle sensitive business data for insurance professionals and health-related information for clinics, and we take that responsibility seriously.

Technology and code on tablet

Infrastructure

  • Cloud-hosted infrastructure with enterprise-grade providers that maintain SOC 2 Type II and ISO 27001 certifications.
  • Data encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Automated backups with point-in-time recovery capabilities.
  • Geographic redundancy to ensure high availability and disaster recovery.

Data Isolation

Vitaris uses a multi-tenant architecture with strict data isolation:

  • Row-Level Security (RLS) enforced at the database level — each account can only access its own data, regardless of application logic.
  • Tenant-scoped queries ensure that no cross-account data leakage is possible.
  • Isolated authentication contexts prevent session hijacking across accounts.

Authentication & Access

  • Secure authentication via OAuth 2.0 and JWT-based sessions.
  • Password hashing using industry-standard bcrypt algorithms.
  • Role-based access control to restrict functionality based on user roles within an organization.
  • Session management with automatic expiration and revocation capabilities.

Application Security

  • Input validation and sanitization across all user-facing interfaces to prevent injection attacks.
  • CSRF and XSS protection built into the application framework.
  • Dependency monitoring with automated vulnerability scanning of third-party packages.
  • Secure API design with rate limiting, authentication, and end-to-end type safety.

Health Data Protection

Vitaris Health processes sensitive patient information. In addition to our standard security measures, we apply additional safeguards:

  • Health data is processed exclusively to deliver the contracted service — never for marketing or profiling.
  • Access to patient records is restricted to authorized users within the subscribing clinic or practice.
  • Audit logging tracks access to sensitive health records for compliance and accountability.
  • We support compliance with applicable health data regulations in each jurisdiction where our users operate.

Incident Response

We maintain a formal incident response process:

  • Affected users are notified without unreasonable delay, in accordance with Wyoming law (W.S. § 40-12-501 et seq.) and applicable local regulations.
  • Incidents are documented with root cause analysis and preventive actions.
  • Security patches are prioritized and deployed promptly.

Operational Practices

  • Principle of least privilege — team members only have access to systems necessary for their role.
  • Code review required for all changes before deployment.
  • Automated testing as part of the CI/CD pipeline to catch regressions.
  • Infrastructure as code with version-controlled configurations.

Report a Security Concern

If you discover a security vulnerability or have a concern about our security practices, please contact us immediately at hello@getvitaris.com. We take all reports seriously and will respond promptly.