Security Overview
Last Updated: July 2, 2026
Security is foundational to Quaspar. Our platform handles sensitive healthcare workflow data on behalf of medical practices, and we design, build, and operate the product with that responsibility in mind. This page summarizes our security program. For HIPAA-specific practices, see HIPAA & Security. To report a security issue, email support@quaspar.com.
Infrastructure
- Cloud hosting. Quaspar's backend runs on Google Cloud Platform in U.S. regions, using managed, containerized services. Google Cloud maintains industry-leading physical and environmental security certifications (SOC 2, ISO 27001, HITRUST) for the underlying infrastructure.
- Database and authentication. Application data is stored in managed PostgreSQL infrastructure with encryption at rest. Authentication uses industry-standard JSON Web Tokens with asymmetric signing and short-lived sessions.
- Network security. All services are fronted by TLS-terminating load balancers. Internal services are not exposed to the public internet. Firewall rules follow a default-deny posture.
Data Protection
- Encryption in transit. All data moving between your browser, our extension, and our servers is encrypted with TLS 1.2 or higher.
- Encryption at rest. All stored data is encrypted at rest using AES-256.
- Data minimization. The Quaspar extension processes patient information locally in your browser session wherever possible and transmits only the data needed to perform the requested operation. We follow HIPAA's minimum-necessary standard.
- Segregation. Customer data is logically separated per practice, with ownership checks enforced at the API layer on every request.
Access Control
- Least privilege. Access to production systems and customer data is restricted to personnel who require it to operate the service, and is reviewed regularly.
- Multi-factor authentication is required for all administrative access to production infrastructure.
- Role-based access within the product lets practices control which staff members can view and act on which workflows.
- Audit logging. Administrative and data-access events are logged with timestamps and actor identity, and logs are protected against tampering.
Application Security
- Secure development. Code changes are reviewed before deployment. Dependencies are monitored for known vulnerabilities and patched promptly.
- Secrets management. Credentials and API keys are stored in managed secret stores, never in source code.
- Browser extension safety. The extension enforces patient-context verification before autofilling any payer form, including cross-tab ownership checks, to prevent data from being placed into the wrong patient's record.
- Third-party transactions. Eligibility and related healthcare transactions are conducted through established, HIPAA-compliant clearinghouse partners over standard X12 EDI protocols.
Monitoring and Incident Response
- Production systems are monitored for availability, errors, and anomalous behavior.
- We maintain a documented incident response process covering identification, containment, eradication, recovery, and post-incident review.
- Customers affected by a confirmed incident are notified in accordance with our contractual commitments, our Business Associate Agreement, and applicable law.
Vendor Management
We evaluate the security posture of vendors before engagement. Any vendor that creates, receives, maintains, or transmits PHI on our behalf must sign a Business Associate Agreement and meet HIPAA Security Rule requirements. A current subprocessor list is available on request.
Business Continuity
- Databases are backed up automatically with point-in-time recovery capability.
- Infrastructure is deployed on managed, auto-scaling services designed for high availability.
- Recovery procedures are documented and reviewed.
Responsible Disclosure
We welcome reports from security researchers. If you believe you've found a vulnerability, email support@quaspar.com with details and steps to reproduce. We ask that you avoid accessing customer data, act in good faith, and give us reasonable time to remediate before public disclosure. We will acknowledge reports promptly and keep you informed of remediation progress.
Questions
For security questionnaires, subprocessor lists, or architecture documentation under NDA, contact support@quaspar.com.