Security policy

Security and access

Last updated: March 2026 · ← Back to Security
Contents
Infrastructure Authentication Role-based control File security Incidents Shared responsibility

Security infrastructure

The TrazaLab platform runs on dedicated infrastructure with the following security measures implemented across every layer of the system:

  • All communication between the browser and our servers is encrypted with HTTPS/TLS
  • Data at rest is stored with AES-256 encryption on Cloudflare R2
  • Passwords are never stored in plain text — we use bcrypt hashing with a random salt
  • Session tokens are unique, signed, and automatically expire
  • The application code is not publicly exposed on the server
TrazaLab security was designed as a system requirement, not an add-on feature. There is no "test mode" with real data, and no development environments that share a database with production.

Authentication and sessions

  • Every user has unique credentials. No shared access by generic role
  • Sessions expire automatically after extended inactivity
  • Repeated failed login attempts trigger a temporary account lock
  • The doctor portal and the lab portal are separate authentication environments
  • Password changes require email verification

Role-based access control

Data access in TrazaLab is defined by the role assigned to each user. No role can access data outside its defined scope, even if it knows the URL or resource ID.

RoleCasesMessagesFilesDashboardUsers
LabAll their ownTheir threadsTheir casesTheir lab
DoctorOwn onlyOwn onlyOwn only
AdminOverviewNo contentNo contentGlobalManagement
TrazaLab team

The TrazaLab team has no access to case content, messages, or clinical files. When technical support requires access to specific data, it requires a documented request and explicit authorization from the account holder.

Clinical file security

  • Files are stored on Cloudflare R2 under unpredictable paths that are not publicly accessible
  • Access to every file is validated against an active session and membership in the relevant case
  • Files cannot be accessed directly by URL without an active authenticated session
  • Allowed file types are validated on the server, not only on the client
  • Uploaded files are scanned before being stored

Incident response

If we detect a vulnerability or security breach that affects user data:

  • Affected labs and doctors will be notified within 24 hours of detection
  • We will publish an incident report covering cause, scope, and steps taken
  • To report vulnerabilities: [email protected]

Shared responsibility

TrazaLab guarantees the security of the infrastructure, the code, and the data we store. Your responsibility as a user includes:

  • Keeping your credentials confidential and not sharing them with third parties
  • Logging out when you use shared devices
  • Reporting any suspicious activity on your account immediately
  • Not sharing clinical files outside the platform through insecure channels