OH Consultant

HIRA-4D Security Overview

Last updated: 16 March 2026

1. Infrastructure

Hosting: Vercel (application) + Supabase (database). Database region: Zurich, Switzerland (eu-central-2). Database: PostgreSQL (Supabase managed). Authentication: Clerk (SOC 2 Type II, SAML/SSO capable). Payments: Stripe (PCI DSS Level 1).

2. Encryption

Data at rest: AES-256 (Supabase default). Data in transit: TLS 1.3 (all connections). Database connections: SSL enforced, no plaintext. Backups: Encrypted with same key management.

3. Access Control

Application level: 9 RBAC roles with granular permissions. Row-level security (RLS) at database level. Schema-per-tenant isolation. Betriebsarzt (occupational physician) has ZERO chemical data access; ASA specialist has ZERO health data access — enforced at database level, not UI.

Administrative: MFA required for all admin accounts. SSH key-based access only. IP allowlisting for database direct access. Principle of least privilege enforced.

4. Audit Logging

Hash-chained audit log (each entry includes hash of previous entry — tamper-evident, blockchain-like integrity). Records: who, what, when, from where. Immutable — entries cannot be modified or deleted. Retained for 7 years. Available for customer export on request.

5. Data Isolation

Each tenant has isolated schema within shared database. Row-level security prevents cross-tenant data access. API routes enforce tenant context on every request. No shared data between tenants (except CIH hazard templates, which contain no personal information).

6. Availability

Supabase: 99.9% uptime SLA. Vercel: 99.99% uptime SLA. Automated daily backups with point-in-time recovery. Disaster recovery: RPO < 24 hours, RTO < 4 hours.

7. Incident Response

Dedicated incident response procedure. 72-hour notification to affected customers. Notification to relevant authorities (OAIC, FDPIC) as required by law. Post-incident review and remediation report.

8. Compliance Frameworks

Aligned with: Swiss FADP, Australian Privacy Principles (APPs), ISO 27001 principles (formal certification planned), SOC 2 Type II (via subprocessors). Planned: ISO 27001 certification, IRAP assessment (for Australian government customers).

9. Penetration Testing

Annual third-party penetration testing (planned). Continuous dependency vulnerability scanning (GitHub). Responsible disclosure programme (planned).

10. Employee Security

Background checks for personnel with data access. Confidentiality agreements. Annual security awareness training. Access revocation within 24 hours of role change or termination.

For detailed security inquiries: info@ohconsultant.com.au