Security
The security posture for healthcare-adjacent infrastructure.
We treat your supplier accounts and your spend data like a hospital treats a chart — encrypted, scoped, and audited.
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit. Database, object storage, and inter-service calls are all encrypted by default. Backups are encrypted with a separate key.
No supplier passwords stored
You never share your Henry Schein, Patterson, or Benco passwords with us. We act as the buyer of record at each supplier, place the order, and pass the goods through to you.
HIPAA-ready architecture
Even though dental supplies aren’t PHI, we’ve built like the next module is. BAA-eligible infrastructure, audit logging, access controls, and tenant isolation enforced top-to-bottom.
Tenant isolation by default
Every row carries an org_id. Application code enforces it; Postgres row-level security is the second line of defense; network policies are the third.
Audit logging on day one
Logins, password changes, MFA setups, member invites, and sensitive admin actions are recorded with actor, IP, and request ID. Access is restricted to approved roles.
SOC 2 Type I — in progress (2026)
We are working with our auditor toward SOC 2 Type I in 2026 and Type II thereafter. We can share our security questionnaire and roadmap on request.
Questions, disclosures, and reports
Send vulnerability reports to security@shopdental.ai. We respond to all credible reports within one business day. Security questionnaires and our SOC 2 roadmap are available to evaluating customers under NDA.