Skip to content
AAesthera
Trust

Security & HIPAA

Last reviewed: 2026-05-04

Hosting and data residency

Aesthera runs on Google Cloud — Cloud Run for compute, Firestore Native for data, Cloud Storage for clinical photos, Identity Platform for auth. All data resides in Google's US multi-region with replication for durability. TLS 1.2+ is enforced; HSTS is set with a 2-year max-age and preload eligibility.

Authentication

  • Email + password and passwordless magic-link sign-in (Google Identity Platform).
  • Two-factor authentication: TOTP authenticator apps and SMS.
  • AAL2 (MFA-completed) is enforced on all super-admin routes once MFA is enrolled.
  • Account lockout after 5 failed sign-in attempts in 15 minutes.
  • New-IP detection sends a security alert email on first sign-in from an unrecognized location.
  • Append-only audit log on every sign-in attempt and every CRM mutation.

HIPAA

Aesthera is built to be HIPAA-eligible. We sign a Business Associate Agreement (BAA) with clinics on Growth and Enterprise tiers. Our hosting and subprocessors (Google Cloud, Stripe, Twilio, Resend) are themselves HIPAA-eligible and operate under their own BAAs.

PHI in motion is TLS-encrypted; at rest in Firestore it's encrypted with Google-managed keys (CMEK migration is on the Enterprise roadmap). Photos in Cloud Storage are stored in a private bucket and served only via short-lived signed URLs. Access to PHI is gated by tenant role + tenant_id custom claims.

Request the BAA via support@aesthera.io.

Application security

  • Strict CSP, X-Frame-Options DENY on /admin, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy locking down camera/mic/geolocation/cohort.
  • Per-IP and per-email rate limits on auth and lead-capture endpoints.
  • Server-side input validation (zod) on every API endpoint.
  • Honeypot field on the public lead form.
  • Email enumeration protection: identical 200 responses for valid and invalid emails on magic-link initiation.
  • Append-only audit_log Firestore collection (security rules deny update + delete).

Reporting a vulnerability

Email support@aesthera.io with the subject line "Security report". Please give us a reasonable window to fix before disclosing publicly. We acknowledge reports within 2 business days.

SOC 2

SOC 2 Type 1 is on the roadmap; we'll publish the report once complete. Until then, security questionnaires are answered case-by-case.

Back to home →