MOVO-X Canada is engineered with a defence-in-depth approach to protect patient data. Every layer — encryption, authentication, database access, network, and CI/CD — is independently hardened and audited.
max-age=31536000; includeSubDomains, preventing any downgrade to HTTP. The TLS certificate is managed by Vercel with auto-renewal.httpOnly, sameSite=lax, Secure cookies. No tokens are ever written to localStorage or sessionStorage, making them inaccessible to JavaScript and immune to XSS-based token theft.clinicId claim. Every server route verifies the JWT and applies a mandatory WHERE clinicId = :jwt_clinic_id filter to every Prisma query. A compromised credential from Clinic A cannot access Clinic B's data — the application layer enforces this independently of the database layer.clinicId at registration time, verified on every request.SUPER_ADMIN (MOVO-X internal), CLINIC_OWNER, CLINIC_ADMIN, DOCTOR, and RECEPTIONIST. Roles are enforced in both middleware and individual route handlers. No patient PHI is accessible to anonymous users.USING (false) on both the anon and authenticated Postgres roles. Even if the Supabase anon key were leaked, zero rows would be returned. The anon key can only be used for the public queue display screen, which has its own narrowly scoped policy.service_role key (which bypasses RLS) is never sent to the browser. It is only used by Vercel Functions running in the Node.js runtime, and it is stored in Vercel's encrypted environment variable store. The key is rotated on a quarterly schedule.DATABASE_URL points to the pooler, limiting max open connections. Direct Postgres access (port 5432) is used only for migrations and admin scripts — never from production application code.pnpm audit runs on every push. High and critical CVEs in direct dependencies block deployment. Dependabot alerts are triaged weekly.ca-central-1 (Montréal, Québec). The Vercel production region is yul1 (also Montréal). No patient personal information is replicated to servers outside Canada. Cross-border support access requires a Law 25 Privacy Impact Assessment.X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, a strict Content-Security-Policy, and Permissions-Policy blocking camera and geolocation APIs.Full security architecture documentation, penetration test reports, and SOC 2 artefacts are available under NDA to healthcare organisations evaluating MOVO-X.