Security

Protect the recovery space.

Security is part of the product boundary, especially when accounts, health-related interactions, camera access, and voice access share one experience.

Effective July 15, 2026
01

Least access

Patient pages are gated server-side, administrative pages require a separate role, and sensitive actions require stronger checks.

02

Media restraint

Camera and microphone are default-denied and allowed only on the focused session route after a user acts.

03

Layered controls

Content Security Policy, CSRF checks, RLS, rate limiting, audit events, input validation, and restricted service credentials protect different boundaries.

Security Policy | Cost Plus PT