Security overview

Three distinct roles enforced at every protected route. Staff cannot reach administrator surfaces; practice administrators cannot reach cross-tenant platform surfaces. Recovery actions on the operator dashboard are also role-split (staff can mark contacted; administrators can mark converted or lost).

Every protected request re-fetches the user's `users.status`. A user marked `disabled` is signed out on the next request and redirected to `/login?reason=disabled`. Disable also bans the Supabase auth user via admin API so refresh tokens stop working.

Tenant-scoped tables have RLS policies enabled in Supabase migrations. The portal additionally re-asserts tenant scope in every server-side query (defense-in-depth). The audit log query in the platform admin console Audit and the operator dashboard audit view filters by tenant identifier explicitly.

Tenant API keys, AI provider keys, Vapi credentials, Twilio credentials, and Supabase service-role keys never reach the browser. The portal proxies backend reads through a server-side proxy which injects the tenant key server-side.

When a tenant configures their own AI provider key (BYOK), it is encrypted with a server-managed encryption secret before being stored. Decryption happens server-side at request time only, and new ciphertexts are cryptographically bound to the tenant/provider context.

Revenue estimates (at-risk, won, leakage, per-call/per-lead dollar figures) are stripped from server-rendered HTML for tenant-staff users on the mobile surface, in addition to UI-level masking. Admins see full financials.

All hosted endpoints (portal, backend, Supabase, Vapi, Twilio, Stripe, OpenAI, Anthropic) are HTTPS-only. PMS bridge URLs are validated to be HTTPS before any request is signed and dispatched.

Privileged actions write to a shared audit log table with a typed enumerated action set enum. Practice administrators and platform admins can read filtered audit views from the platform admin console Audit (desktop, full) and the operator dashboard audit view (last 100 mobile + agent-config rows).

Platform admins can export portal-owned Supabase data for a tenant as JSON from `/api/admin/tenant-export?tenant identifier=<uuid>` or the the platform admin console All Tenants export link. The export is scoped to one tenant and omits provider secrets.

Platform admins can suspend a tenant before deletion after confirming the tenant export was taken and presenting the destructive-operations secret. The workflow disables the tenant, revokes affected Supabase auth sessions, and writes a deprovision audit entry.

A platform admin-only hard-delete route deletes portal-owned Supabase rows and safe KB Storage objects in dependency order after destructive-secret verification, deletion preparation, export confirmation, legal-hold check, and provider erasure-status evidence.

Sliding-window rate limiter with configurable window and max-per-identifier. Used on auth endpoints and tenant-scoped proxy routes.

Billing, PMS bridge, and voice-provider webhooks verify provider-specific secrets or HMAC signatures before processing.

Operator runbooks now define how to suspend deletion for legal hold and how to request erasure from subprocessors after tenant deletion preparation. The database has a legal-hold flag per tenant and a per-tenant erasure-status record, and the hard-delete route refuses held tenants or pending provider statuses.

Cron routes under scheduled job require a dedicated scheduler Bearer token. Backend cron routes no longer accept admin API secrets as scheduler credentials.

Cron job failures can emit a notification to a configured Slack/Discord-compatible alert webhook. When unset, failures still log server-side but no remote alert fires.

Sentry initializes only when DSN environment variables are set. Portal and backend Sentry configs set default PII collection disabled and route events through shared scrubbers that redact obvious secrets, auth headers, cookies, emails, phone numbers, patient/caller/transcript fields, and raw request bodies before events are sent.