SocialRightLabs
  • Home
  • Product
  • Architecture
  • Governance
  • FAQ Assistant
  • Contact

Security

Security posture overview, vulnerability reporting process, and responsible disclosure policy for the Clinical Temporal Decision Engine.

Security Posture

The Clinical Temporal Decision Engine is deployed on Azure with defense-in-depth security controls. The current security foundation includes:

Transport Security

HTTPS/TLS on all endpoints. HSTS enforced. FTPS disabled. HTTPS Only enforced at App Service level.

Secrets Management

Azure Key Vault with Managed Identity — no long-lived credentials in configuration or environment variables.

Identity

Managed Identity for service-to-service authentication. No shared secrets between services.

CI/CD Security

GitHub Actions with OIDC authentication to Azure. No service principal secrets in CI/CD pipelines.

Telemetry Safety

Patient-level data never enters logs or monitoring streams. PHI-aware observability boundaries enforced.

Access Control

Per-tenant API keys. Constant-time key comparison. Microsoft 365 Security Defaults and MFA enabled for tenant access.

Dependency Security

pip-audit with allowlist-based CI gating. Pre-commit hooks including bandit SAST. CodeQL analysis on PRs.

Always On / Health Checks

App Service Always On enabled. Health endpoint monitoring active. Auto-heal and restart configured.

This security posture is configured and operational. It is not a certification or compliance statement. No SOC2, HIPAA, HITRUST, or ISO certification is claimed.

Vulnerability Reporting

If you discover a security vulnerability in the Clinical Temporal Decision Engine, please report it responsibly.

Reporting Email: security@socialrightlabs.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Affected component(s) and version(s)
  • Any proof-of-concept or exploit details
  • Your contact information for follow-up

What to expect:

  • Initial acknowledgment within 5 business days (target; not an SLA commitment)
  • Status updates as investigation progresses
  • Coordinated disclosure timeline agreed with reporter
  • Credit in release notes (with reporter's permission)

We do NOT currently offer a bug bounty program. Do not attempt to access, modify, or exfiltrate real patient data — the system uses synthetic data in all environments.

Responsible Disclosure Process

PhaseActionTimeline
1. ReportReporter submits via security@Immediate
2. AcknowledgeTeam confirms receiptTarget 5 business days
3. TriageAssess severity and scopeBased on severity
4. FixDevelop and test remediationBased on complexity
5. ReleaseDeploy fix, notify reporterCoordinated with reporter
6. DisclosurePublish advisory if warrantedAfter fix deployed

Timelines are targets, not guarantees. Severity classification determines priority. Critical vulnerabilities are addressed before lower-severity issues.

Demonstrations use synthetic data only. No real patient data is used in development, testing, or demonstration.

Not a medical device. Does not diagnose, treat, or prescribe.

Not HIPAA, FDA, SOC2, or ISO certified. Compliance program is planned.

SocialRightLabs

Clinical Temporal Decision Engine — deterministic clinical risk scoring and care-gap detection. FHIR-native, Azure-hosted, auditable, PHI-safe.

Legal

  • Privacy Policy(Draft)
  • Terms of Service(Draft)
  • Security
  • Support
  • Contact
  • Responsible AI

Contact

  • support@socialrightlabs.com
  • security@socialrightlabs.com
  • privacy@socialrightlabs.com
  • legal@socialrightlabs.com
  • partners@socialrightlabs.com
  • GitHub

Demonstrations use synthetic data only. No real patient data is used in development, testing, or demonstration.

Not a medical device. Does not diagnose, treat, or prescribe. Outputs are clinical decision support, not medical advice.

Not HIPAA, FDA, SOC2, or ISO certified. Compliance program is planned.

© 2026 SocialRightLabs. All rights reserved.