Skip to main content
Medova

This site is currently implementing core features and is not ready for patient use yet.

Security

How Medova protects your data — encryption, authentication, GDPR compliance, and infrastructure security.

Updated 4/16/2026v1Machine translated

Security

Medova takes the security of your data seriously. This page describes our security practices, authentication mechanisms, and compliance posture.

Authentication

API Keys

API access is authenticated via Bearer tokens. Keys are scoped per environment:

  • Live keys (sk_live_...) — access production data
  • Test keys (sk_test_...) — access sandbox data, no billing impact

Keys are hashed (SHA-256) at rest. The plaintext key is shown once at creation and cannot be retrieved.

User Authentication

User-facing authentication uses Supabase Auth with:

  • JWT tokens (3600s expiry, auto-refresh)
  • Session timeout: 30 minutes inactivity / 12 hours absolute
  • Role-based access control (patient, clinic, moderator, admin)

Encryption

In Transit

All traffic is encrypted via TLS 1.3. HSTS is enabled with a 1-year max-age. Cloudflare provides edge SSL termination.

At Rest

Database encryption via AES-256 (Supabase managed). Backups are encrypted. Sensitive fields (API keys, tokens) are additionally hashed.

Infrastructure

  • Hosting: Hetzner dedicated server (Germany, EU jurisdiction)
  • CDN: Cloudflare (DDoS protection, WAF, bot management)
  • Database: Supabase PostgreSQL with Row-Level Security (858+ RLS policies)
  • Secrets: Supabase Vault for sensitive configuration

Rate Limiting

Upstash Redis-backed rate limiting protects all endpoints:

  • Per-key limits based on plan tier
  • Global abuse detection
  • Automatic temporary bans for sustained abuse

Data Protection & GDPR

  • Data processed and stored in the EU (Germany)
  • GDPR-compliant data processing agreements with all sub-processors
  • Data subject rights (access, deletion, portability) supported via dashboard
  • Analytics data retained for 90 days
  • No Meta Pixel or third-party tracking that transfers data outside EU

Security Headers

All responses include:

  • Content-Security-Policy — strict CSP with nonce-based script loading
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy — restricted camera, microphone, geolocation

Incident Response

We maintain documented incident response procedures aligned with ISO 27001:

  • 72-hour GDPR breach notification commitment
  • 4-tier severity classification
  • Post-incident review and public status page updates

Reporting Vulnerabilities

If you discover a security vulnerability, please report it to security@medova.health. We aim to acknowledge reports within 24 hours and resolve critical issues within 72 hours.

Compliance

StandardStatus
GDPR / DSGVOCompliant
ISO 27001In progress (target: 2026-12)
SOC 2 Type IIPlanned (2027)