Security at MedicsCRM
Last updated: 1 July 2026
Tenant isolation
Every record in MedicsCRM is scoped to a single clinic and protected by PostgreSQL row-level security enforced at the database layer. A clinic's staff can only ever read or write their own clinic's data — this isolation cannot be bypassed from the application.
Encryption
All traffic is encrypted with TLS 1.2+. Data is encrypted at rest using AES-256. Uploaded documents and generated quotes are stored in private buckets accessible only to the owning clinic.
Access control
Accounts are invite-only, with role-based access (owner, manager, receptionist, doctor, finance) limiting what each team member can see and do. Sessions use short-lived tokens with secure, httpOnly cookies.
Infrastructure
MedicsCRM runs on Vercel and Supabase in EU data centers, inheriting SOC 2-audited physical and network security. Secrets are stored in managed environment configuration, never in code.
AI safety
The AI assistant only answers from your clinic's approved procedure library and knowledge base. It is instructed never to provide medical advice or diagnosis, and every AI message is clearly labeled and can be paused by staff at any moment.
Responsible disclosure
Found a vulnerability? Email security@medicscrm.com. We acknowledge reports within 48 hours and do not pursue good-faith researchers.