Demo environment. Do not enter real Protected Health Information (PHI). Use synthetic data only until production BAA infrastructure is wired.

Project Nightingale
Sign inGet access

Security posture

An honest map for IT reviewers

We will not pretend the prototype is what the production fortress will be. This page tells you exactly where on the maturity curve we are today, and what is on the next ticket.

Shipped today

Authentication

Email + Google sign-in. MFA enrollment available. 15-minute idle auto-logout.

Encrypted at rest & in transit

AES-256 at rest, TLS 1.2+ in transit, enforced by the managed Postgres provider.

Row-level security

Every table is RLS-locked. Nurses see only their own rows; admins gated by a separate roles table.

Cryptographic Approve & Sign

Every signed chart stores a SHA-256 hash binding AI output, final text, license ID, user ID, IP, and timestamp.

Append-only audit log

No UPDATE or DELETE policies exist on the audit table. Immutability enforced at the database, not just the app.

Server-side license gate

Signing is rejected server-side if the caller's RN license is not in 'verified' status. UI checks alone are not trusted.

On the roadmap

  1. BAA-covered LLM endpoint

    Swap the demo AI gateway for Azure OpenAI or AWS Bedrock under a signed BAA. The aiProvider interface is already abstracted.

  2. Real Nursys API integration

    Replace the manual review queue with live Nursys calls (state, license number, identity, encumbrance status).

  3. AWS Comprehend Medical

    Replace the regex PHI redaction with clinical-grade de-identification.

  4. SOC 2 Type I & II

    Vanta/Drata-driven controls, third-party pen test, annual audit.

Out of scope for the prototype

  1. Real PHI ingestion

    Site-wide non-dismissible banner forbids it. Synthetic data only until the BAA stack is live.

  2. Mobile native apps

    Web-first. Mobile follows once the security baseline is certified.

  3. EMR write-back

    Read-only synthesis for now. Direct Epic / Cerner integrations come after pilot validation.

The Liability Engine in one paragraph

When a nurse clicks Approve & Sign, the server computes a SHA-256 hash of the AI output, the final edited text, the verified RN license ID, the user ID, the timestamp, and the IP address. That hash is stored in a row that nothing — not even a future admin — can update or delete, because the audit table has no UPDATE or DELETE RLS policies. This is the legal firewall the BYOL model rests on.