Last updated: March 2026
AES-256 GCM at rest (Cloudflare R2, automatic). TLS 1.3 in transit for all connections. No data stored in plain text at any point in the chain.
Every file uploaded to TrazaLab — shade photos, STL scans, voice notes, Digital Rx data — is encrypted before it reaches storage. The encryption is handled at the infrastructure level by Cloudflare R2, which means it is not optional, not configurable, and not possible to bypass. There is no unencrypted path through the system.
In transit, all connections use TLS 1.3 — the current standard for transport encryption. This applies to browser sessions, API calls, file uploads (via tus.io), and WhatsApp Bridge notifications. Older protocols (TLS 1.0, 1.1, 1.2) are not accepted.
Three access levels: lab technician, clinic admin, and doctor. Each role has per-case configurable permissions. Visibility is restricted by design.
Lab technicians see only the cases assigned to their lab. They can view files, messages, and Rx data for those cases. They cannot see cases from other labs or other clinics connected to the platform.
Clinic admins see all cases from their clinic across all doctors and labs. They coordinate workflow, manage deadlines, and route cases. They cannot modify clinical prescriptions.
Doctors see only their own cases. They cannot see cases from other doctors in the same clinic. They have full control over their clinical data, including the ability to export everything at any time.
This isolation is enforced at the database query level — it is not a UI filter that could be bypassed. A user cannot request data they are not authorized to see, even through the API.
Any user's access can be revoked instantly. Upon revocation, the user loses visibility into all associated cases and files. Data never resides on the user's device — TrazaLab is a web application with no local data cache.
When a doctor leaves a clinic or a lab technician changes jobs, the account owner revokes their access with one action. The revocation is immediate — there is no propagation delay. The revoked user's past actions remain in the audit log for accountability.
Every action is logged with timestamp, user, action type, and affected resource. Logs are exportable for external audits.
The audit log captures: case creation, file uploads, file downloads, message sends, Rx modifications, approval actions, status changes, access grants, and access revocations. Each entry includes the user ID, IP address, action type, target resource, and UTC timestamp.
Audit logs cannot be modified or deleted by any user, including account owners. They are designed to provide an immutable record of all platform activity for compliance and dispute resolution.
Cloudflare R2 for storage (automatic global replication). tus.io for resumable uploads. OpenAI Whisper API for transcription.
Cloudflare R2 stores data across multiple geographic locations with automatic replication. The specific replication strategy is managed by Cloudflare's infrastructure — TrazaLab does not control which data centers receive copies, but all copies are encrypted at rest.
Voice notes processed by OpenAI Whisper API are transmitted over encrypted connections. The audio is used solely for transcription and is not retained by OpenAI for training purposes, per their API data usage policy.
WhatsApp notifications are sent through the official WhatsApp Business API. Message content is limited to notification triggers (case status changes, approval requests) — clinical data and files are never transmitted through WhatsApp.
TrazaLab maintains an incident response protocol for security events. If a data breach or unauthorized access is detected, affected users are notified within 72 hours with details about the scope, impact, and remediation steps taken.
The platform uses Cloudflare's DDoS protection and WAF (Web Application Firewall) to mitigate common attack vectors. Rate limiting is applied to API endpoints to prevent brute-force attempts.
TrazaLab is designed to support compliance with data protection regulations including GDPR and Mexico's Ley Federal de Proteccion de Datos Personales (LFPDPPP). The platform implements technical controls — encryption, access control, audit logging, data export, and access revocation — that align with the security requirements of these frameworks.
TrazaLab does not currently hold SOC 2, ISO 27001, or HIPAA certifications. We disclose this transparently because we believe honest communication about our security posture builds more trust than overclaiming. The technical controls described on this page are verifiable and auditable.
To report security vulnerabilities: [email protected]
We take all reports seriously and respond within 48 hours. If a reported vulnerability is confirmed, we will credit the reporter (unless they prefer anonymity) and provide a timeline for remediation.