Security at DisabilityProAI
Because we handle your clients' medical and legal records, security isn't an after-thought — it's baked into every layer of the platform, from the database to the browser. Below is an overview of the safeguards in place today.
1. Data Protection
| Layer | Safeguard | What it means for you |
|---|---|---|
| Encryption in transit | All traffic travels over TLS 1.3 with HSTS pre-loading | Your data is unreadable to anyone on the wire. |
| Encryption at rest | Database files, object storage, and backups are encrypted with AES-256 | Even if disks were removed, content would remain protected. |
| Daily encrypted backups | Automated point-in-time snapshots with 35-day retention | We can restore your workspace quickly if you ever need it. |
2. Application-Level Controls
- Row-Level Security (RLS)
- Every query is evaluated so users only see their own cases, documents, pages, and chat history.
- Fine-grained Storage Policies
- Private document bucket plus policies that verify both bucket and case owner before any file is read or written.
- Normalized Filenames
- Uploaded files are renamed to random UUIDs to prevent path or execution attacks.
- Two-Factor Authentication (2FA)
- Time-based one-time passwords (TOTP) are supported for all accounts; admins can require it workspace-wide.
- Rate-Limiting & Brute-Force Defense
- Sign-in, chat, and upload endpoints throttle repeated attempts by IP and account to stop automated attacks.
- Anti-CSRF Guard
- API routes validate the Origin header and reject state-changing requests that don't originate from our own domains.
- XSS Hardening
- All chat content is rendered from Markdown that is sanitized with an allow-list cleaner before reaching the browser.
- Security Headers
- Strict CSP, X-Frame-Options = DENY, Referrer-Policy = same-origin, Permissions-Policy (camera/mic/geolocation disabled).
3. Infrastructure Safeguards
- Isolated, containerized runtime – Each deploy runs inside a dedicated container that starts as non-root and is rebuilt from an immutable image on every deployment.
- Managed network edge – A global anycast network terminates TLS, filters malicious traffic, and enforces WAF rules before a request ever reaches our app.
- Private database networking – The database is not addressable from the public Internet; only the application and admin bastion can connect.
- Automatic vulnerability patching – Underlying OS images receive kernel and OpenSSL security updates as soon as they are published.
4. Monitoring & Incident Response
- Real-time log streaming to an external SIEM for long-term retention and anomaly detection.
- Custom alerts for failed login bursts, abnormal upload sizes, and unexpected database policy violations.
- 24 × 7 automated health checks – If an instance becomes unhealthy, traffic is rerouted and a new node is launched automatically.
- Quarterly disaster-recovery drills – We rehearse full-stack restores from backup to verify that every step (database, storage, DNS) is repeatable.
5. Compliance-Friendly by Design
- HIPAA-ready architecture – Encryption everywhere, audit logging, and strict access controls form the foundation required for handling PHI.
- Data residency – All primary and backup data stays within U.S.-based data centers.
- Least-privilege access – Internal staff accounts are scoped to the minimum set of projects and actions they need to support you.
Our Commitment
We continually review new controls and run third-party penetration tests to keep raising the bar. If you have security questions, need our latest penetration-test summary, or want to report a vulnerability, email security@disabilityproai.com (PGP key available on request).
Your trust powers DisabilityProAI, and protecting that trust is our highest priority.