Security at MedicsCRM

Last updated: 1 July 2026

Tenant isolation

Every record in MedicsCRM is scoped to a single clinic and protected by PostgreSQL row-level security enforced at the database layer. A clinic's staff can only ever read or write their own clinic's data — this isolation cannot be bypassed from the application.

Encryption

All traffic is encrypted with TLS 1.2+. Data is encrypted at rest using AES-256. Uploaded documents and generated quotes are stored in private buckets accessible only to the owning clinic.

Access control

Accounts are invite-only, with role-based access (owner, manager, receptionist, doctor, finance) limiting what each team member can see and do. Sessions use short-lived tokens with secure, httpOnly cookies.

Infrastructure

MedicsCRM runs on Vercel and Supabase in EU data centers, inheriting SOC 2-audited physical and network security. Secrets are stored in managed environment configuration, never in code.

AI safety

The AI assistant only answers from your clinic's approved procedure library and knowledge base. It is instructed never to provide medical advice or diagnosis, and every AI message is clearly labeled and can be paused by staff at any moment.

Responsible disclosure

Found a vulnerability? Email security@medicscrm.com. We acknowledge reports within 48 hours and do not pursue good-faith researchers.