Our approach
PracticeLien handles patient, case, and lien data for personal-injury medical practices. We design every layer of the service - infrastructure, application, data, and process - to protect protected health information (PHI) and minimize the blast radius of any single failure.
Infrastructure
- Cloud provider. The application runs on Google Cloud Platform in the us-central1 region. We use only services covered by a signed Business Associate Agreement (BAA) with Google.
- Compute. The application and sync workers run on Cloud Run, scaled per service with explicit min/max instance bounds.
- Database. Cloud SQL for PostgreSQL, private IP only (no public endpoint), with automated backups and point-in-time recovery.
- Secrets. All credentials are stored in Google Secret Manager and pulled at runtime by service identities. No long-lived service-account keys.
- Infrastructure as code. Production infrastructure is defined in Terraform and reviewed before apply.
Multi-tenant isolation
Every customer (medical practice) is a distinct tenant. Tenant boundaries are enforced inside the database, not just in application code:
- Every PHI-bearing table has a non-null
tenant_idcolumn and a row-level security (RLS) policy that filters rows by the current session's tenant. - The tenant identifier is read from the authenticated session token and set at the start of every database transaction.
- Cross-tenant queries are blocked by the database itself - even a buggy or malicious application query cannot return another tenant's rows.
- Every new feature ships with an isolation test that asserts a request authenticated as Tenant A cannot read Tenant B's data.
Authentication and access
- Identity provider. Authentication is provided by Clerk (SOC 2 Type II, BAA available).
- Multi-factor authentication is required on every account that can access PHI.
- Role-based access control. User roles (admin, provider, front desk, billing) determine which actions and screens are available within a practice.
- Attorney portal. Attorneys log in to a scoped portal that exposes only the cases their firm is associated with - they never see practice-staff screens or other firms' data.
- Internal access. Production access by PracticeLien staff is restricted to a minimum set of engineers, requires MFA, and is logged.
Encryption
- In transit. All traffic to and from the application is encrypted with TLS 1.2 or higher.
- At rest. Cloud SQL, Cloud Storage, and Secret Manager use Google-managed AES-256 encryption at rest.
- Document storage. Settlement packets and uploaded records are stored in Cloud Storage buckets with object-level access controls and tenant scoping.
Logging and auditing
- Every authentication event, PHI access, and tenant-scoped data modification is recorded in an immutable audit log.
- Application logs are structured JSON, centralized in Cloud Logging, and scrubbed for PHI before leaving the perimeter (e.g., on the way to error monitoring).
- Audit logs are retained per the customer's BAA and applicable law.
Backups and recovery
- Daily automated database backups with point-in-time recovery enabled.
- Backups are encrypted at rest and stored in the same BAA-covered region as the production database.
- Recovery procedures are tested periodically.
Software development
- Code review. All changes go through pull-request review before merge to the protected main branch.
- Automated checks. Tests, type checks, lint rules (including PHI-in-log and PHI-in-URL detectors), and dependency-vulnerability scans run on every pull request.
- Deployment. Releases go through staging before production. CI/CD authenticates to GCP via Workload Identity Federation - no long-lived keys.
- Dependency hygiene. Third-party packages are reviewed and updated on a regular cadence.
Vendor management
We maintain BAAs with every subprocessor that touches PHI. A current list of subprocessors is on the Privacy page.
Compliance posture
- HIPAA. We operate under signed BAAs with customers and with all PHI-touching vendors. Administrative, technical, and physical safeguards are aligned with 45 CFR Part 164.
- SOC 2. A SOC 2 Type I report is on our roadmap. We are operating with SOC 2 controls in mind from day one.
Responsible disclosure
If you believe you have found a security vulnerability in PracticeLien, please email info@sevenseasstrategies.com. Please include enough detail to reproduce the issue, and give us a reasonable window to investigate before public disclosure.
- We will acknowledge receipt within two business days.
- We will not pursue legal action against good-faith researchers who follow this policy.
- Please do not access more data than necessary to demonstrate the issue, and never use real patient PHI in a test or proof of concept.
Contact
For security questions, BAA requests, or to report a suspected incident:
Seven Seas LLC · info@sevenseasstrategies.com