Six things your IT and compliance folks will ask about β all running in production today.
Every account needs a passkey or authenticator. No exceptions, no off switch.
Data is isolated per organization, enforced in code. Blocked attempts are recorded.
Sign-ins, sensitive views and changes β append-only, searchable, exportable.
Off-site within ~1 second, 30-day point-in-time restore, auto-validated daily.
HTTPS-only with HSTS and DNSSEC; sensitive fields encrypted at rest.
CSP, CSRF, clickjacking and SSRF protection on every request. DEA numbers stay private to each physician.