Identity and access
ASP.NET Core Identity authentication with role-aware medical authorization policies.
Evidence: Account components, MedicalPolicies
Security Posture
Healthcare safeguards with evidence boundaries.
Flaura is built for patient data protection, tenant isolation, auditability, and operational recovery. This page separates implemented controls from target-state work and unsupported claims.
Tenant boundaries
Tenant-aware access is a core safety rule; cross-tenant leakage is treated as a severity-1 defect.
Evidence: blueprint and tenant-filter tests
Field-Level Protection
Sensitive healthcare fields can use field-level encryption and key-version-aware protection patterns.
Evidence: encryption docs and tests
Auditability
Security and clinical access activity have audit foundations for review and investigation.
Evidence: audit service and report surfaces
API perimeter
API and FHIR traffic use correlation IDs, CORS policy, and rate limiting at the HTTP boundary.
Evidence: middleware and security tests
Operational recovery
Blue-green deployment, rollback assets, health checks, and evidence-pack generation support recoverability.
Evidence: deploy scripts and release pack
Implemented Claims
What Flaura can evidence today
- Identity-based authentication and role-aware authorization policies.
- Tenant-aware data access model with tenant isolation treated as a critical safety boundary.
- Field-level protection support for sensitive healthcare fields.
- Audit logging foundations for security and clinical access review.
- API/FHIR perimeter controls including correlation IDs, CORS policy, and rate limiting.
- Health diagnostics, blue-green deployment, rollback assets, and release evidence pack generation.
Explicit Non-Claims
What this page does not claim
- No SOC 2, ISO 27001, or HITRUST certification claim.
- No blanket HIPAA, GDPR, POPIA, or CCPA compliance claim for every customer deployment.
- No zero-knowledge claim for all fields.
- No fully automated clearinghouse claim for every payer.
- No fixed 99.9% SLA claim for every deployment model.
- No claim that customer workforce, device, network, or local-policy obligations disappear.
Shared responsibility
Security depends on the deployment and support model. Flaura can provide platform safeguards and release evidence, while clinics remain responsible for workforce access, device security, local policies, and jurisdiction-specific compliance decisions.
Discuss security review| Question | Why it matters |
|---|---|
| Which deployment model is being used? | Hosting ownership changes who patches, monitors, backs up, and restores the environment. |
| Which integrations receive PHI? | Every lab, pharmacy, insurer, webhook, or support adapter needs an explicit data boundary. |
| Who approves privileged access? | System and tenant administration require clear approval and audit expectations. |
| Which evidence pack supports go-live? | Commercial claims should map to build, test, migration, health, rollback, and risk evidence. |
Release Evidence
Ask for the evidence pack before go-live.
Enterprise and pilot releases should include build, test, migration, health, rollback, known-risk, and release-note summaries generated by the Flaura release evidence workflow.