Scriptlane← Back to site
Trust & Security

Scriptlane’s security posture.

The broker posture is the product. Every design decision is oriented around keeping PHI out of our systems and keeping partners in control of their data and their contracts.

Summary

  • No PHI received, stored, or transmitted
  • BAA-ready where incidental obligations apply
  • Append-only audit logs, 7-year retention
  • Aggregate-only results with cell-size floor
  • DUAs on every downstream activation partner
  • KMS-backed Match Filter with per-tenant key derivation
  • 42 CFR Part 2 categories explicitly out of scope
How data moves

PHI stays at the partner. Only aggregate counts come back.

Scriptlane sends a normalized, non-identifying query to each partner adapter. The partner returns cell-size-floored counts that are deny-list validated at the boundary before they ever touch our systems.

Zero PHI
Operator
pharma · cro · device

Authors a scoping brief in the Scriptlane console: therapy area, drug codes, inclusion criteria, activation partner.

brief.json · no identifiers
Scriptlane
broker · adapter fan-out
  • Normalizes the brief into a typed query.
  • Fans it out across signed adapters in parallel.
  • Validates every response against a PHI deny list.
  • Persists aggregates only - append-only audit log.
Partner adapters
phi stays inside

Each partner runs the query against its own system of record and returns cell-size-floored counts. Identifiers never cross the line.

Adapter 1signed
Adapter 2signed
Adapter 3signed
Adapter 4quoted
Validation at the Scriptlane boundary
Every adapter response is checked before it crosses into our systems. Anything that looks like an identifier is rejected at the edge, not quarantined later.
PHI deny-listcell-size floorschema validated
Outbound queryAggregate responseNo PHI · append-only audit · 7y retention

Technical & organizational controls

Aggregate-only architecture

Every EHR adapter response is validated against a PHI field-name deny list before it crosses our boundary. Results are cell-size floored at the portal layer and re-validated at persistence.

Encryption

TLS 1.2+ in transit on every endpoint. Database encryption at rest via Supabase (AES-256). Secrets managed via Vercel encrypted environment variables.

Authentication

Magic-link sign-in via Supabase Auth. No passwords stored. Session cookies HttpOnly + Secure + SameSite=Lax. Operator access gated by an explicit email allowlist.

Authorization

Operator vs. scoper roles are enforced in middleware on every request. Scope tenancy is enforced per-org in the repo layer - reads are scoped by org_id, writes include the org_id at insert.

Audit logging

Every mutation (query, scoping, lead, plan change) is recorded to an append-only audit stream with actor, timestamp, entity, and payload. Retained 7 years.

Minimum cell size

Query responses below the minimum cell-size threshold are ceilinged before they return. Enforced at the adapter boundary and re-validated before persistence.

Secret rotation

API keys rotated on role transition; Stripe and Supabase keys rotated at minimum annually or on any suspected exposure.

Backups

Point-in-time recovery enabled on the Supabase Postgres cluster. 7-day rolling restore window.

HIPAA posture

Scriptlane is not a Covered Entity under HIPAA and does not receive, create, maintain, or transmit PHI on behalf of a Covered Entity under its default architecture. A Business Associate Agreement is available for execution where a counterparty determines one is operationally required; see the BAA statement.

Scriptlane explicitly excludes behavioral-health and substance-use-disorder data subject to 42 CFR Part 2.

Subprocessors

Scriptlane uses the following subprocessors, each contractually bound to protect customer data:

VendorPurposeRegionData
Vercel Inc.Hosting, edge network, serverless runtimeUnited StatesRequest metadata, server-side logs; no application data stored at rest.
Supabase Inc.Postgres database, authentication, object storageUnited States (us-east-1)Account, scoping, and audit records.
Amazon Web Services, Inc.Match Filter - AWS Lambda worker + KMS HMAC key for per-tenant key derivationUnited States (us-east-1)Uploaded NPI lists are processed in-memory inside Lambda for the duration of one request, then dropped; only the derived MAC tokens are intersected. Nothing is stored at rest. Every key derivation is logged to CloudTrail.
Stripe, Inc.Payment processing, subscription billingUnited StatesPayment method, billing email; Stripe is PCI-DSS Level 1 certified.
Resend, Inc.Transactional email deliveryUnited StatesRecipient address, message body for auth / notifications / invites.

We notify customers at least 30 days before adding or replacing a subprocessor.

Incident response

  1. Detect. Vercel and Supabase provider alerts, plus application-level audit log anomalies, feed a single response channel.
  2. Contain. Impacted credentials or access tokens are rotated immediately. Affected routes are disabled via middleware if necessary.
  3. Assess. A root-cause analysis is written within 72 hours of detection, including scope, data categories involved, and remediation.
  4. Notify. Affected customers are notified in writing without unreasonable delay and no later than 60 calendar days from detection, with details of the incident and remediation.
  5. Remediate. Controls are revised and audited against the incident RCA. The RCA is added to an internal register.

Match Filter posture

Scriptlane’s Match Filter lets customers upload a target NPI list and cross it against a cohort without exposing the list to EHR partners or storing NPIs at rest. The HMAC root material lives in AWS KMS; per-tenant MAC keys are derived at request time via kms:GenerateMac, every derivation is logged to CloudTrail, and the parsed list is dropped from process memory before the request returns. The detailed posture - what we persist, what we never persist, the deny-list at ingest, and BYOK options for enterprise customers - is documented separately.

Match Filter trust & privacy notes →Your org's audit trail (sign in) →

Compliance roadmap

  • Match Filter is deployed against an AWS KMS-backed worker with per-tenant key derivation (kms:GenerateMac) and CloudTrail audit on every call. See the whitepaper for the full architecture.
  • Customer-facing audit dashboard surfaces every match upload, intersection, view, and discard event in-product - with full CSV export and seven-year retention.
  • SOC 2 Type I engagement scheduled with a leading attestation vendor.
  • Annual third-party penetration test scheduled ahead of the first production customer onboarding.
  • Cyber liability and E&O insurance in place via BID Partners LLC.
  • Bring-your-own KMS key (BYOK) available for enterprise customers - point Match Filter at a customer-managed key in your own AWS account.

Reporting and contact

To report a suspected vulnerability or incident, or to request the BAA / DPA templates, email ben@scriptlanedata.com. We aim to acknowledge security inquiries within one business day.