Security & Compliance at NotedRx
Healthcare practices trust NotedRx to help them navigate one of the most sensitive regulatory environments in any industry. We take that responsibility seriously — from the way AI responses are generated to the infrastructure that runs the platform.
This page explains how NotedRx approaches HIPAA compliance, data security, access controls, and infrastructure so you can make an informed decision about using our platform. Read our full HIPAA approach, or learn about the team behind NotedRx.
Our Approach to HIPAA
HIPAA compliance for public review responses requires more than a policy — it requires technical enforcement. NotedRx implements four independent layers of protection on every response generated.
Prompt Engineering
Every AI request is prefixed with detailed, explicit HIPAA rules. The model is instructed to never confirm a patient relationship, reference clinical details, mention appointments or procedures, or include any information that could constitute PHI in a public response.
Regex Pattern Matching
Before any response is returned to you, it passes through a library of 100+ red-flag patterns. This layer catches common HIPAA pitfalls — including appointment references, clinical language, and name acknowledgments — independent of the AI output.
AI Compliance Analyzer
A separate AI model reviews every generated response specifically for HIPAA violations. This second-pass analysis is independent from the generation model, providing a cross-check that catches subtle issues the regex layer may not cover.
Automatic Retry
If the compliance analyzer detects a high-risk violation in a generated response, NotedRx automatically discards that response and regenerates it — without any action required from your team. You only see responses that have passed all layers.
Data Security
AES-256-GCM Encryption for OAuth Tokens
OAuth access tokens for connected review platforms are encrypted at rest using AES-256-GCM before being stored. Keys are managed separately from the database.
Row-Level Security (RLS)
Supabase Row-Level Security policies enforce strict data isolation at the database level. Your practice data is only accessible to authenticated users associated with your account — not other tenants.
No PHI Storage
NotedRx generates responses to public reviews. It does not store, access, or transmit Protected Health Information. The reviews you paste in are processed transiently to generate a response and are not retained as patient records.
SSL/TLS in Transit
All data in transit is encrypted via TLS. There are no unencrypted communication paths between your browser, our application servers, and our database.
Access Controls
Supabase Authentication
User authentication is handled by Supabase Auth, which implements industry-standard secure session management including JWT-based tokens and secure cookie storage.
Practice-Level Data Isolation
Each practice account operates in its own isolated data context. Users can only access data belonging to their own practice — enforced at the database layer, not just the application layer.
Admin Access Controls
Internal admin access is restricted and audited. Production database access requires authentication and is not available to general staff.
Infrastructure
Vercel — SOC 2 Compliant Infrastructure
NotedRx is hosted on Vercel, which maintains SOC 2 Type II compliance. Vercel's infrastructure provides DDoS protection, automatic HTTPS, and global edge delivery.
Supabase — SOC 2 Type II Database
The NotedRx database runs on Supabase, which is SOC 2 Type II certified. Supabase provides automated backups, point-in-time recovery, and encrypted storage.
Sentry Error Monitoring
Application errors are captured with Sentry. Sentry is configured to scrub and exclude PII from error reports — stack traces and error context do not contain patient data.
Responsible Disclosure
If you discover a security vulnerability in NotedRx, please report it to us at support@notedrx.com. Please include a description of the vulnerability, steps to reproduce it, and any supporting evidence. We will acknowledge your report within 48 hours and work to address confirmed vulnerabilities promptly.
We ask that you do not publicly disclose a vulnerability until we have had a reasonable opportunity to investigate and remediate it. We appreciate responsible security research and take all reports seriously.
Important Disclaimer
NotedRx is designed to help healthcare practices generate compliant responses to public reviews. It does not guarantee HIPAA compliance. HIPAA compliance is the responsibility of your practice and your designated Privacy Officer.
All responses should be reviewed by your team before posting. NotedRx provides a draft — your staff provides the final judgment.
NotedRx is not a covered entity under HIPAA and does not function as a Business Associate in the context of responding to public reviews. NotedRx does not access, store, or transmit Protected Health Information. The reviews you submit are public text already posted by patients on third-party platforms.
If you have questions about your practice's specific compliance obligations, consult a qualified healthcare attorney or compliance professional.
Ready to respond to reviews safely?
Start generating HIPAA-aware review responses in seconds. No long-term contract required. See our full compliance and response features.