Security & HIPAA-equivalent practices

• Encryption in transit: TLS 1.2+ everywhere; HSTS in production.
• Encryption at rest: Sensitive PHI columns (medical conditions, medications, allergies) are encrypted with AES-256-GCM at the application layer.
• Authentication: Argon2id password hashing with a server-side pepper; account lockouts after 5 failed attempts.
• Application security: CSRF tokens on every form, strict file-type validation, rate limiting per IP and route, parameterised queries.
• Audit logging: Privileged actions are written to an append-only audit trail.
• Least privilege: The web app connects to MySQL with a dedicated user that has only DML rights — no schema or admin permissions.

Report a vulnerability: info@matendohealth.com.