Log In Create Account

Security

Enterprise Security Without the PHI Risk

FormCheckRx was designed from day one to handle zero patient data. This page documents our complete security architecture for IT directors, compliance officers, and procurement teams.

Foundation

No PHI Architecture

FormCheckRx never receives, stores, processes, or transmits Protected Health Information as defined by 45 CFR §160.103. The platform accepts two inputs: a drug name and a state. It returns formulary reference data. No patient identifiers enter the system at any point.

CONSEQUENCE 01

No Business Associate Agreement Required

Eliminates the contract negotiation that averages 49 days per vendor (Ironclad, 2025). Business associates are implicated in 34% of all reported healthcare breaches in 2025 (HHS OCR). Your legal team does not need to review FormCheckRx as a business associate because it does not qualify as one under HIPAA.

CONSEQUENCE 02

No Breach Liability

Healthcare has been the costliest sector for data breaches for 14 consecutive years (IBM, 2025). In 2024, U.S. healthcare organizations reported 725 large breaches — nearly two per day (HHS OCR). At an average of $10.22 million per incident taking 279 days to identify, FormCheckRx adds zero breach exposure because there is no patient data in the system.

CONSEQUENCE 03

No HIPAA Compliance Overhead

No security risk assessments related to FormCheckRx. No workforce training requirements. No audit obligations. No annual BAA reviews. HIPAA civil penalties can reach $1.5 million per year for identical violations. FormCheckRx eliminates this entire category of exposure — your HIPAA compliance program is not affected by deploying it.

Data Handling

What We Collect — and What We Never Touch

Data We Collect
  • Email address — for account authentication only
  • Encrypted password hash — never stored in plaintext
  • State preference — to pre-select your state on login
  • Plan tier and billing status — processed by Stripe; we do not store card numbers
  • Search queries — drug name and state only; no patient context attached
  • Device information — for session security and single-device enforcement
  • Usage metrics — queries used, last active date
Data We Never Collect
  • Patient names, dates of birth, or demographics
  • Diagnosis codes (ICD-10) or procedure codes (CPT)
  • Insurance member IDs or claims data
  • Medical record numbers (MRN)
  • Prescription data linked to a specific patient
  • Social Security numbers or government ID numbers
  • Any data that could identify a specific patient

Infrastructure Security

Technical Security Controls

Encryption

All data encrypted in transit via TLS 1.2+ with downgrade attack blocking. Database encrypted at rest via Supabase AES-256. No unencrypted data transmission at any layer of the stack. API keys stored as encrypted environment variables — never exposed to the client browser.

Authentication

Email verification required on account creation. Six-digit device verification codes on new device login. Single-device session enforcement — logging in on a new device terminates existing sessions. Three consecutive failed login attempts trigger automatic lockout and password reset. Session tokens expire and are not replayable.

Access Control

Row-level database security (RLS) on every table — users can only access records associated with their authenticated account. Service credentials are never exposed to the browser. Admin access requires separate authentication with email verification on every login. No shared admin credentials.

Rate Limiting & DDoS Protection

Per-endpoint rate limiting on all API routes with separate limits for authentication, search, and administrative endpoints. Cloudflare Web Application Firewall (WAF) provides DDoS protection and blocks known attack patterns. Each query executes in an isolated function context — no shared server process, no persistent state between requests.

Vendor Security

Third-Party Security Certifications

All third-party infrastructure vendors are selected for their compliance certifications. The following table reflects the compliance posture of each vendor as of the most recent published certification.

Vendor Purpose Compliance Certifications Notes
Supabase Database, authentication, row-level security SOC 2 Type IIHIPAA Eligible All data stored in Supabase-managed infrastructure. RLS enforced at the database layer.
Vercel Application hosting, edge network, serverless functions SOC 2 Type IIISO 27001 Each query runs in an isolated serverless function. No persistent server processes.
Stripe Payment processing, subscription management PCI DSS Level 1 Card numbers are never transmitted to or stored on FormCheckRx infrastructure.
Cloudflare DDoS protection, DNS, WAF, CDN SOC 2 Type IIISO 27001 All traffic routes through Cloudflare. Rate limiting and WAF rules applied at the edge.
Resend Transactional email (verification codes, notifications) SOC 2 Type II Only email addresses and authentication codes transmitted. No patient data.

Compliance Roadmap

Current Compliance Status

We report compliance status honestly. Items are listed as completed, in progress, or planned — not as achieved until they are.

✓ Completed
  • Static security audit (April 2026)
  • TLS 1.2+ with downgrade attack blocking
  • Row-level database security on all tables
  • Per-endpoint rate limiting
  • Device verification system (6-digit codes)
  • Single-device session enforcement
  • 3-attempt login lockout
  • Data isolation (verified vs. AI-generated entries)
  • Full audit logging of administrative actions
  • Vulnerability disclosure program
↻ In Progress
  • SOC 2 Type II preparation
  • Annual penetration testing — third-party firm engaged
  • WCAG 2.1 AA accessibility audit
  • Formal security policy documentation
  • Incident response plan formalization
○ Planned
  • SSO/SAML integration for enterprise accounts
  • TOTP multi-factor authentication
  • API key management with per-key rate limiting
  • Formal penetration test report (post-engagement)
  • SOC 2 Type II report publication

Security Contact

Report a Security Concern

Contact our security team

To report a potential security vulnerability, request our security documentation for procurement review, or ask questions about our security architecture:

[email protected]

We respond to all security inquiries within one business day. For urgent security issues, please include "Security" in the subject line.