How we secure the stack.
A short read on the architecture, the controls, and what we'll show you on a security review.
Architecture
- Layer 01 · Context (chanio): user-owned context graph. The hard drive metaphor is literal — the data is yours, on your device, federated through your own infrastructure.
- Layer 02 · Runtime (harnesshealth.ai): agentic orchestration on Anthropic's Claude. Open harness, model-agnostic, physician-supervised.
- Layer 03 · Proof (hashcare): attestation ledger. Every clinical write produces a cryptographic record signed by the responsible physician. Audit-ready.
Controls
- Hard intercept on every clinical write — no agent action reaches a patient or third party without a named physician's signature. (Provisional patent filed.)
- Encryption at rest (AES-256) and in transit (TLS 1.3). HSTS preload on all production domains.
- Access via Supabase Auth (production) with role-based row-level security. SSO planned for enterprise.
- Audit logs on every clinical attestation, retained per HIPAA minimums (6 years).
- Secrets stored in Vercel encrypted environment variables. Rotated quarterly.
- No third-party trackers on any production surface. No Facebook pixel, no Google ads, no Hotjar, no session replay tools.
The AI piece
Sage (the chat widget) is powered by Anthropic Claude. We use Anthropic's enterprise privacy terms — zero retention by default, no training on customer conversations. The system prompt for each brand is in our public registry at /kb/registry.json.
What we'll show you on a review
- Provisional patent disclosure for the harness + hard-intercept architecture.
- Audit log samples (with PHI redacted).
- Vercel + Supabase security postures (SOC 2 documents available under NDA).
- Anthropic enterprise terms covering Sage's data handling.
- Tech E&O insurance certificate (SH LLC).
Reporting a vulnerability
Found something? Email security@harnesshealth.ai. We respond within 48 hours and credit responsible disclosure on the acknowledgments page.
For HIPAA-specific posture, see the HIPAA page.