How OncoSource Protects
Competitive Pricing Intelligence
Purpose-built for the security requirements of PE-backed medical device companies. Every layer of the platform is designed to protect the data that matters most — backed by continuous security operations from our cybersecurity partner, Hiro.
Last updated: April 2026
HIPAA Compliance by Design
OncoSource is architecturally designed to never receive, store, or process Protected Health Information (PHI).
The platform handles exclusively procurement data: product SKUs, pricing, quantities, and purchase orders. No patient names, medical record numbers, diagnoses, treatment plans, or clinical data ever enters the system.
Data Isolation & Multi-Tenancy
Every database table is scoped by organization. Row-Level Security (RLS) policies are enforced at the PostgreSQL level — not in application code. Data isolation cannot be bypassed even with direct database access.
AI Security Operations — Hiro
OncoSource is monitored by Hiro, an AI-powered security analyst that investigates alerts, correlates data across our security stack, and delivers actionable findings 24/7.
Hiro's founding team includes infrastructure engineers who kept Uber's platform running at global scale — the same operational discipline is now applied to automated security operations for healthcare technology.
Hiro acts as a tireless Tier-1 analyst — automatically investigating security detections, correlating endpoint alerts with cloud activity, and delivering clear verdicts with evidence. Investigations that took 30-60 minutes happen in seconds.
Connects the dots across our entire stack — CrowdStrike endpoint detection, AWS CloudTrail, Okta identity, Slack, Vercel deployments, Supabase database security, and GitHub. No alert exists in isolation.
Maps human identities to their cloud sessions, SSO logins, and service accounts across the environment. Tracks over-privileged IAM roles and detects suspicious access patterns.
Continuously audits Supabase RLS enforcement, auth config, storage bucket exposure, branch protections, SSL enforcement, and IAM hygiene. Hiro remembers organizational context — accepted risks, architecture patterns, and known-good behaviors.
Hiro doesn't just detect — it fixes. From enabling database row-level security to opening pull requests for code vulnerabilities, updating auth configs, and making storage buckets private, Hiro takes action with human approval — closing the loop between detection and resolution.
Pricing Data Protection
Competitive pricing intelligence is protected by a three-layer defense system.
PostgreSQL RLS policies ensure competitive intel tables are accessible only to CQ admin roles. Even with a valid user token, buyer accounts cannot query this data.
Server-side middleware verifies role and MFA status before rendering any admin page. Unauthorized users are redirected before sensitive data is fetched.
Invoice analysis writes competitive intel using a privileged service role. The authenticated buyer's token cannot read back that data.
Authentication & Access Control
Defense-in-depth authentication with server-side MFA enforcement, invite-only admin provisioning, and session-level verification.
TOTP-based MFA (RFC 6238) enforced at AAL2 per NIST SP 800-63B. Compatible with Google Authenticator, Authy, 1Password, and Microsoft Authenticator. MFA verification checked on every admin request — not just at login.
MFA is enforced in server middleware — not client JavaScript. Disabling JS or navigating directly to admin routes still triggers the MFA gate. No client-side bypass is possible.
Admin accounts can only be created by existing admins through a secure invite flow. Self-registration always assigns buyer-level access. No public endpoint can escalate privileges.
PunchOut sessions use cryptographically random 48-character identifiers with automatic 1-hour expiry. Session validation is mandatory before any order can be placed.
Encryption & Infrastructure
In Transit
All traffic encrypted with TLS 1.3 enforced by Vercel's global edge network and Supabase's API gateway. No unencrypted connections accepted.
At Rest
AES-256 encryption for all database storage via Supabase (PostgreSQL on AWS). Uploaded invoices stored with per-organization namespacing.
Payment Processing
Stripe handles all payment data — PCI DSS Level 1 compliant. OncoSource never stores card numbers. Orders remain in pending state until Stripe webhook confirms successful payment.
Secret Management
Service role keys, API credentials, and payment secrets are server-side only. ERP shared secrets are bcrypt-hashed (cost factor 12) before storage. Environment variables are never prefixed for client exposure.
AI Data Handling
Anthropic Claude is our only AI provider, used for two purposes: invoice parsing and an authenticated product-knowledge chatbot. Anthropic does not train on commercial API inputs under our terms.
Invoice Parsing
Extracts SKUs, descriptions, quantities, and unit prices from uploaded procurement documents. No Protected Health Information is ever sent to the AI. No CQ Medical catalog pricing or competitive intelligence is included in the parsing prompt.
Role-Scoped Chatbot
Authenticated buyers and admins can query product fit, compatibility, and pricing. The catalog injection is role-scoped at the server: hospital buyers see only their own tier price plus list price — never other tiers, never the competitor mapping table. CQ admins see the full catalog. Output filtering blocks bulk-catalog extraction attempts.
Audit Logging & Access Monitoring
Comprehensive audit trail for all sensitive data access, aligned with HIPAA 45 CFR §164.312(b) requirements.
Every access to protected resources — invoice downloads, AI analysis requests, report distribution — is logged with the acting user, organization, IP address, user agent, and full request metadata. Audit logs are immutable and accessible only to administrators.
Secure Development Lifecycle
Security is enforced throughout the development pipeline — from code review to deployment. Every change to security-sensitive code requires dedicated review, automated checks, and passes through CI before reaching production.
Code Review Enforcement
CODEOWNERS requires security team approval for all changes to API routes, database migrations, authentication middleware, and CI/CD workflows. Direct pushes to main are blocked.
Branch Protection
All changes require pull requests with passing status checks. Force pushes to main are blocked. Branch protection rules enforce review requirements before any merge.
CI Security Scanning
Automated security checks on every pull request: dependency vulnerability scanning (npm audit), secret detection in source code, TypeScript strict type checking, and build verification.
Database Migrations
Schema changes deploy through an automated CI pipeline — version-tracked, reviewed, and applied consistently. No manual database modifications in production.
Compliance & Certifications
SOC 2
Type II — Supabase
SOC 2
Type II — Vercel
PCI DSS
Level 1 — Stripe
SOC 2
Type II — Anthropic