← Back to OpticClose

Trust & Security

This page is maintained by OpticClose to answer common security and privacy questions about our practice management OS. It describes currently enabled controls and is not an independent certification or audit attestation.

Shared responsibility

OpticClose runs on managed cloud infrastructure (Lovable Cloud, backed by Supabase and Cloudflare). Lovable provides hosted application runtime, managed Postgres, authentication, storage, and edge networking. OpticClose builds the application controls described below. Practices using OpticClose are responsible for configuring user access, training staff, and handling PHI in accordance with their own policies and any applicable Business Associate Agreement.

Access & authentication

  • Email/password and Google sign-in via Supabase Auth.
  • Row-level security on every tenant table; users only see their tenant's data.
  • Role-based access through a dedicated user roles table — never stored on profiles.
  • Idle-session logout and break-glass auditing for sensitive PHI access.
  • Super-admin impersonation is logged and time-bounded.

Data protection

  • All data encrypted in transit (TLS 1.2+) and at rest by the managed database.
  • PHI tokenization helpers available for logs and exports.
  • Storage buckets containing clinical imaging are private and tenant-scoped.
  • OAuth tokens for connected ad/marketing platforms are readable only by tenant admins.

Hosting & subprocessors

OpticClose relies on the following subprocessors to deliver the service. Each is bound by its own data protection terms.
  • Lovable Cloud — application hosting, database, auth, storage.
  • Cloudflare — edge networking and DDoS protection.
  • Resend — transactional email delivery.
  • Twilio — SMS and voice (when enabled by the practice).
  • Stripe — payments and subscription billing.
  • Daily — virtual consult video rooms (when enabled).
  • OpenAI / Anthropic / Google via Lovable AI — model inference for scribe and assistant features.

Retention & deletion

Tenant data is retained while the account is active. Practices can request export or deletion of their tenant by emailing privacy@opticclose.com. Audit logs and billing records may be retained for the period required by law.

Privacy requests

Patients and staff may exercise data-subject rights (access, correction, deletion) by contacting the practice they belong to. The practice acts as the data controller; OpticClose acts as a processor on the practice's behalf.

Reporting a security issue

We welcome reports from security researchers and customers. Please email security@opticclose.com with reproduction steps. Please do not test against real patient data and do not perform denial-of-service tests. We aim to acknowledge reports within two business days.

Compliance posture

OpticClose is designed to support HIPAA-aligned workflows. A Business Associate Agreement is available on request for paid practice and enterprise plans. OpticClose does not currently claim independent SOC 2, ISO 27001, HITRUST, or PCI certification; payment processing is delegated to Stripe, which maintains PCI DSS certification for the cardholder data it handles.

Last updated: 7/8/2026