Security

Enterprise-Grade Security for Your Data

We take the security of your product data, formulations, and analysis results seriously. Here's how we protect your information at every layer.

Infrastructure

Security at every layer

Encrypted in Transit

TLS 1.3 for all connections. HTTPS everywhere, no exceptions. All API communication between services uses encrypted channels.

Encrypted at Rest

AES-256 encryption for all stored data via Supabase. Your product formulations, analysis results, and account data are encrypted on disk.

Row-Level Security

PostgreSQL RLS policies ensure users can only access their own data. Even if a query is misconfigured, the database enforces access boundaries.

SOC 2 Type II

Compliance through our infrastructure providers. Supabase, Railway, and Vercel all maintain SOC 2 Type II certification.

Data Handling

What we collect and how we handle it

What we collect

  • Product labels and supplement facts panels
  • Ingredient names, doses, and forms
  • Marketing claims from product pages
  • Analysis results and evidence dossiers
  • Account information (name, email, company)

What we don't collect

  • Payment card numbers (Stripe handles all payment data)
  • Personal health data or medical records
  • Social Security numbers or government IDs
  • Browsing history outside our platform

Data Retention

Analysis results and dossiers are stored for the duration of your active account. Upon account deletion, all associated data is permanently removed within 30 days.

Data Deletion

You can request full deletion of your data at any time by contacting us. Deletion requests are processed within 30 days and include all product data, analysis results, and account information.

Access Control

Authentication and authorization

  • Supabase Auth with email/password authentication
  • Server-side session validation using getUser (not getSession) to prevent token spoofing
  • API authentication via JWT tokens with short expiration windows
  • No shared credentials or API keys exposed in client-side code

Third-Party Services

Our infrastructure partners

ServicePurposeCompliance
SupabaseDatabase & AuthSOC 2 Type II
RailwayCompute & WorkersSOC 2 Type II
VercelFrontend HostingSOC 2 Type II
StripePayment ProcessingPCI DSS Level 1
AnthropicAI ProcessingEnterprise Data Handling
SentryError TrackingNo PII in Reports

Responsible AI

How we use AI responsibly

Narrative Only, Never Scores

AI agents generate qualitative analysis and narrative summaries. All numeric scores are computed by deterministic Python code with fixed, auditable formulas.

Hallucination Verification

Every citation produced by our AI agents is verified against PubMed. Fabricated PMIDs are automatically detected and filtered before they reach your dossier.

No Training on Your Data

Your product data is never used to train AI models. We use the Anthropic API with enterprise data handling policies that prohibit model training on customer inputs.

Pinned Model Versions

We pin specific model versions (e.g., claude-haiku-4-5-20251001) for reproducibility. Your analysis results are consistent and auditable over time.

Contact

Report a security concern

If you've discovered a security vulnerability or have concerns about our data handling practices, please reach out. We take every report seriously and respond within 24 hours.

security@theclinicalindex.com

Responsible Disclosure

We ask that you give us reasonable time to address any vulnerabilities before public disclosure. We commit to acknowledging your report within 24 hours and providing a timeline for remediation within 72 hours.

Ready to know what the evidence actually says about your product?

Analyze Your First ProductTalk to Our Team

Free to start. No credit card required.