RxReport

Security

Security at RxReport

A summary of the controls that protect the RxReport platform and the data our customers entrust to us.

Infrastructure

RxReport runs on modern, SOC-2-compliant cloud infrastructure. The application is deployed as code with automated CI/CD, reviewed before release, and observable in production. Infrastructure is reproducible and the attack surface is kept intentionally small.

Encryption

  • In transit. All traffic to and from RxReport is encrypted with TLS 1.2 or higher. HTTP is redirected to HTTPS.
  • At rest. Customer data is stored in managed data stores with encryption at rest enabled and provider-managed keys.
  • Secrets. API keys, tokens, and credentials are stored in a dedicated secret store, never in source control.

Access control

  • Least-privilege access for employees; production access limited to the engineers who need it.
  • Single sign-on with enforced multi-factor authentication for internal tools.
  • Audit logs of access to production systems, retained for review.

Application security

  • Code review required for every production change.
  • Automated dependency scanning and patching for known vulnerabilities.
  • Secure defaults: parameterized queries, output encoding, strict CSPs where feasible, and modern framework protections against common web vulnerabilities.

Monitoring and response

We monitor the platform for availability, errors, and anomalous access patterns. Security-relevant events generate alerts that reach an on-call engineer. We maintain an incident response process and will notify affected customers without undue delay in the event of a confirmed incident involving their data, consistent with our contractual and legal obligations.

Data minimization

We collect only what we need to run the Service. Formulary source data we process is public. For any Protected Health Information a customer chooses to integrate, a Business Associate Agreement is required before onboarding.

Backups and availability

Customer data is backed up on a regular schedule with periodic restoration tests. Backups are encrypted and retained for a defined period before secure deletion.

Employees and vendors

  • Background checks for employees with production access.
  • Signed confidentiality agreements for all personnel.
  • Security review of vendors and sub-processors that handle customer data.

Responsible disclosure

If you believe you've found a security vulnerability in RxReport, we want to hear from you. Please email security@rxreport.com with details and steps to reproduce. We will acknowledge your report promptly, investigate in good faith, and keep you informed of our progress. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it, and that you avoid accessing or modifying data that isn't yours while testing.

Enterprise due diligence

Customers evaluating RxReport at the enterprise level can request our current security package — including sub-processor list, architecture overview, and questionnaire responses — under NDA. Email security@rxreport.com.