Security First
Routiq is built with healthcare security and compliance at its core. We understand that you’re trusting us with sensitive patient data, and we take that responsibility seriously.Encrypted Data
AES-256 encryption at rest and TLS 1.3 in transit
Access Control
Row-level security and role-based permissions
Audit Logs
Complete audit trail of all data access
Security Architecture
Infrastructure
- Cloud Provider: Hosted on Vercel and AWS infrastructure
- Database: Supabase with PostgreSQL 15 and row-level security
- Backups: Automated daily backups with point-in-time recovery
Application Security
- Authentication: Supabase Auth with JWT tokens
- Session Management: Secure, httpOnly cookies with SameSite protection
- API Security: Rate limiting, input validation, parameterized queries
- Security Headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Error Monitoring: Sentry integration for tracking and resolving issues
Data Protection
Encryption
Data at Rest
Sensitive data is encrypted:- API keys and credentials: AES-256-GCM encryption with PBKDF2 key derivation
- Database storage: Encrypted at rest via Supabase infrastructure
- Patient data: Protected by row-level security policies
Data in Transit
All data transmitted between:- Your browser and Routiq servers
- Routiq servers and third-party APIs (Cliniko, Chatwoot, Twilio)
Data Retention
| Data Type | Retention Period | Purpose |
|---|---|---|
| Patient data | While account active | Required for reactivation |
| Message history | 24 months | Analytics and support |
| Deleted accounts | 30 days | Account recovery |
Access Control
Authentication
Multi-Factor Authentication (2FA)- Optional for all users
- Highly recommended for admins
- TOTP-based (Google Authenticator, Authy, etc.)
- Minimum 8 characters (recommended: 12+)
- No common passwords (checked against breach databases)
- Password strength validation
- Secure password reset flow
Authorization
Role-Based Access Control (RBAC)| Role | Permissions |
|---|---|
| Owner | Full access to all features, settings, billing |
| Admin | Create campaigns, view analytics, manage patients |
| Member | View-only access to patients and campaigns |
- You can only access data from your own Cliniko account
- Team members can only see data from practices they’re assigned to
- No cross-practice data leakage
API Security
- API Key Encryption: All third-party API keys stored with AES-256
- Secure Key Storage: Keys stored in isolated vault
- Key Rotation: Ability to rotate keys without downtime
- API Rate Limiting: Protection against brute force and abuse
Compliance
Standards & Frameworks
HIPAA Considerations
HIPAA Considerations
While Routiq is not currently HIPAA certified, we implement HIPAA-aligned security controls:Physical SafeguardsLearn more about HIPAA →
- Data centers with 24/7 security
- Biometric access controls
- Environmental controls
- Data encryption (at rest and in transit)
- Access controls and authentication
- Audit logs and monitoring
- Automatic logoff
- Security training
- Incident response plan
- Risk assessments
If you’re subject to HIPAA, consult your compliance officer before using messaging features for PHI.
GDPR Compliance
GDPR Compliance
For European practices, Routiq implements GDPR requirements:Data Subject Rights
- Right to access (data export)
- Right to erasure (account deletion)
- Right to portability (data export in standard format)
- Right to rectification (data correction)
- Consent for marketing communications
- Legitimate interest for patient reactivation
- Contract for service delivery
- Privacy by design
- Data minimization
- Encryption and pseudonymization
- Data breach notification (72 hours)
SOC 2 Type II
SOC 2 Type II
Status: In progress (expected Q2 2025)We’re working toward SOC 2 Type II certification for:
- Security
- Availability
- Confidentiality
- Processing integrity
ISO 27001
ISO 27001
Status: Planned for 2026Future certification for comprehensive information security management.
Regional Compliance
Australia- Privacy Act 1988
- Australian Privacy Principles (APPs)
- Spam Act 2003 (for messaging)
- HIPAA (Health Insurance Portability and Accountability Act)
- TCPA (Telephone Consumer Protection Act)
- State privacy laws (CCPA, CPRA, etc.)
- GDPR (General Data Protection Regulation)
- ePrivacy Directive
Monitoring & Incident Response
Security Monitoring
- Error Tracking: Sentry integration for application errors
- Access Logs: Authentication and data access logging
- Infrastructure Monitoring: Vercel and Supabase platform monitoring
Incident Response
In the event of a security incident:- Detection: Automated error alerts via Sentry
- Investigation: Root cause analysis
- Notification: Affected users notified within 72 hours (GDPR requirement)
- Remediation: Fixes deployed and verified
Access Logging
Application-level events are logged via Sentry:- Authentication events (login, logout)
- API errors and failures
- Integration sync events
- Campaign execution
Third-Party Security
Subprocessors
Routiq uses trusted third-party services:| Service | Purpose | Security |
|---|---|---|
| Vercel | Application hosting | SOC 2, ISO 27001 |
| Supabase | Database and auth | SOC 2 Type II |
| Cliniko | Patient data source | ISO 27001 certified |
| Twilio | Messaging delivery | SOC 2, ISO 27001, HIPAA eligible |
| Chatwoot | Messaging platform | Open source, self-hostable |
API Security
When connecting to third-party APIs:- All API calls use HTTPS/TLS
- API keys encrypted with AES-256-GCM before storage
- Rate limiting implemented to prevent abuse
- Failed API calls logged for troubleshooting
Data Privacy
Data Minimization
We only collect data necessary for patient reactivation: Required:- Patient name and contact info
- Appointment history
- Treatment types
- Medical diagnoses
- Test results
- Clinical notes
- Payment information
Data Sharing
We never:- Sell patient data
- Share data with advertisers
- Use data for training AI models or non-service purposes
- Access data without authorization
- Services you explicitly connect (Cliniko, Chatwoot, Twilio)
- Service providers for infrastructure (Vercel, Supabase)
- Law enforcement (only when legally required)
Security Best Practices
For Practice Owners
1
Enable 2FA
Turn on two-factor authentication for all admin accounts
2
Use Strong Passwords
Use unique, complex passwords (12+ characters) or a password manager
3
Review Team Access
Regularly audit team member roles and remove inactive users
4
Monitor Audit Logs
Review security logs monthly for unusual activity
5
Secure API Keys
Store Cliniko/Twilio/Chatwoot credentials securely, don’t share
6
Educate Team
Train staff on security best practices and phishing awareness
For Team Members
- Lock your device when stepping away
- Don’t share login credentials
- Report suspicious activity immediately
- Use approved devices only
- Don’t access from public WiFi without VPN
Vulnerability Disclosure
Found a security issue? We appreciate responsible disclosure:- Email: support@routiq.ai
- Include: Detailed description, steps to reproduce, impact
- Don’t: Publicly disclose before we’ve fixed the issue
- We will: Acknowledge within 48 hours and work to remediate
Security Certifications & Compliance
SOC 2 Type II
Status: Audit in progress with Vanta (expected Q1 2026)
GDPR
Status: Compliance in progress
HIPAA
Status: HIPAA-aligned security controls implemented
We implement industry-standard security controls aligned with healthcare compliance requirements. SOC 2 Type II certification is currently underway.
Questions?
For all support and security questions:- Email: support@routiq.ai
Review Compliance Docs
Learn about HIPAA, GDPR, and other compliance requirements