Security
Credential data is sensitive. We treat it that way.
Your license number, DEA registration, NPI, and the documents that back them up are the kind of identifiers bad actors actively want. Larch’s job is to make tracking easier without creating a new place for that data to leak. This page is the architectural commitments behind that — written plain and updated as we evolve.
Last updated 2026-05-05. Questions or concerns: security@larchhealth.com.
Architecture
What protects your data.
Encryption at rest and in transit
All data is encrypted at rest using AES-256 in our managed Postgres database and object store. All connections use TLS 1.3 from your browser to our edge and from our edge to the database. No credential value travels or rests in plaintext.
Row-level security on every table
Every table in the credential database carries Postgres row-level security policies. The application layer cannot accidentally serve credential A to clinician B — the database itself refuses the read. RLS is the floor, not the ceiling.
Signed-URL access to documents
Files in the document vault are never served via public links. Every download generates a short-lived signed URL scoped to the requesting user. The URL expires before it could be useful to anyone else who saw it.
Audit log on every read and write
Create, read, update, and delete events on credential data are written to an audit log with timestamp, actor, IP, and the credential touched. If you ever need to prove who did what when — to a board, to counsel, to yourself — the log is the source of truth.
Plaintext credential numbers stay out of logs
License numbers, DEA registrations, and NPI values never appear in our application logs or error reporting in plaintext. Server logs reference credentials by internal identifier so a log leak isn’t a credential leak.
Least-privilege access internally
Only the engineers who need production access have it, and only via short-lived credentials. Routine product work happens against staging and synthetic data. We do not browse customer credentials for product reasons.
The promise
Five things we will not do.
- We never sell credential data. Not to pharma, insurance carriers, recruiters, or lead-gen brokers.
- We never share credential data with partners unless you explicitly opt into a partner offer.
- Your data is yours. Export everything as a single archive any time.
- Delete your account and your credential data goes with it (we keep audit-log entries we’re legally required to retain, scrubbed of identifying detail).
- We will tell you about a security incident affecting your data — honestly and quickly, regardless of legal floor.
Subprocessors
Who else touches your data.
A short list, kept honest. Each vendor below is bound by Larch’s terms; HIPAA-eligible vendors carry signed BAAs where applicable.
| Vendor | Purpose | Region | BAA |
|---|---|---|---|
| Supabase | Managed Postgres + object storage | US-East | Yes (Pro tier) |
| Vercel | Application hosting + CDN | Global edge | On request |
| Resend | Transactional email (alerts, verification) | US | On request |
| Sentry | Error monitoring (PHI scrubbed before send) | US | Pro tier |
| Stripe | Future paid-tier billing (none charged today) | US | N/A |
Last updated 2026-05-05. Material changes to this list are communicated to active customers in advance.
Compliance
What we are. What we’re not, yet.
In place
- HIPAA-eligible cloud infrastructure
- BAA available on request for covered entities
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Audit log retention per legal floor
On the roadmap
- SOC 2 Type II audit (planned, not yet completed)
- External penetration test (planned)
- Public bug bounty program
- Two-factor authentication (rolling out)
Honest disclosure. We’d rather tell you what we haven’t done than imply we have.
See the BAA page for our Business Associate Agreement posture, or the privacy policy for the full data-handling description.
Incident response
If something goes wrong, you’ll hear it from us first.
Our incident posture is honest, fast, and direct. If we discover a security incident affecting your credential data, we investigate, contain, and notify affected customers in plain language — not when HIPAA’s 60-day floor expires, but as soon as we know what happened. The notice tells you what we know, what we don’t, and what we’re doing about it. Larch is a small, working-clinician operation; we will not hide behind a press release.
Found something?
Tell us. We mean it.
Researchers, customers, and curious clinicians: if you find a security issue, please email security@larchhealth.com with what you found and how to reproduce it. We commit to a first response within 48 hours and a substantive update within 7 days. We won’t pursue good-faith research that respects user data.
The basics shouldn’t cost extra. Neither should knowing they’re safe.
Free forever for credential tracking. Encrypted, audit-logged, BAA-eligible from day one.