Security
The controls below are what actually runs in production — not aspirations.
Every clinic's data lives behind its workspace boundary. Access checks run on every request, and a second, automatic database-layer filter scopes every query to your clinic — so even a hypothetical application bug cannot read another workspace's rows.
All traffic is TLS-encrypted (HSTS enforced). Data is stored on infrastructure with encryption at rest; high-sensitivity secrets such as two-factor keys carry an additional layer of AES-256-GCM application-level encryption.
Any user can protect their account with TOTP two-factor authentication (Google Authenticator, 1Password, Authy) plus single-use recovery codes. Secrets are never stored in plain text.
Five roles (Owner, Admin, Manager, Member, Viewer) gate every action in the product, from billing to document management. Permission checks run server-side on every mutation.
Sessions expire after 45 minutes of inactivity and are capped at 7 days. Changing your password — or using “sign out everywhere” — immediately invalidates every other device. Admins can revoke a team member's sessions.
Passwords are stored with bcrypt. New passwords must be at least 12 characters and are checked against known breach corpuses (via k-anonymity — your password never leaves our servers). Sign-in attempts are rate-limited per account and per network.
Files live in a private storage bucket, are namespaced per clinic, and are served only through 60-second signed URLs generated server-side after a tenant check. Every download is written to the audit log with user, document, time, and IP.
Sign-ins, permission changes, document activity, and every significant workspace action are recorded in an audit log your admins can review at any time.
TrialWave stores aggregate, de-identified population data only — never individual patient records or PHI. Free-text fields carry PHI reminders, and our terms prohibit entering patient-level data.
Strict Content-Security-Policy, HSTS with preload, X-Frame-Options DENY, and rate limiting are enforced platform-wide. Payments are processed by Stripe — card data never touches our systems.
TrialWave is a business-development workflow tool, not a clinical or compliance system — it is not certified for HIPAA, FDA 21 CFR Part 11, or GCP validation and does not store patient records. See our Privacy Policy, Terms, and DPA.
Security question or something to report? Email elijah@trialwave.org.