Security & compliance.

Where data lives

Region-hosted, tenant-isolated, encrypted end-to-end.

• Region hosting · Singapore

  Production runs in Google Cloud's asia-southeast1 region (Singapore). Patient data does not leave the region without explicit consent. The marketing site is on Cloudflare Pages with the same APAC-first edge profile.

• Tenant isolation · row-level

  Every clinic record is tagged with a tenant ID at the database row level. Postgres Row-Level Security policies enforce isolation in the database, not just the application — a missing tenant filter in code cannot cross clinics.

• Encryption · in transit and at rest

  TLS 1.3 in transit; AES-256 at rest for database, backups, and uploaded imaging. Sensor-bridge integration uses the OS-level secure channel; no patient data is written to local disk.

How access is controlled

MFA, role-based access, an audit log engineers cannot disable.

• Multi-factor authentication

  MFA is required for all user accounts, with TOTP support out of the box. Recovery flows route through a verified channel — never the email address that lost MFA in the first place.

• Role-based access · least privilege

  Roles are defined per clinic — front desk, hygienist, clinician, owner. The role determines which routes the user can reach and which audit-log entries they can read. SSO via Google Workspace and Microsoft 365 is in production; SingPass is in beta.

• Audit log · append-only

  Reads and writes against patient data are written to an append-only audit log: who, what, when, from where. The log is queryable by clinic admins. Engineers cannot disable the audit log; entries are retained for 7 years unless a clinic explicitly requests purge.

Backups, recovery, and incidents

Daily backups, tested restores, public status, vulnerability disclosure.

• Backups · daily, integrity-verified

  Daily encrypted backups with point-in-time recovery. Restore RPO target: 15 minutes. RTO target: 1 hour. Integrity-verified restore drills run on a fixed cadence — not just backups taken, backups tested.

• Status & uptime

  Live platform status, target uptime, scheduled maintenance, and the incident-response posture live on the status page. Customer admins are notified by email when an incident affects a service their clinic depends on.

• Vulnerability disclosure

  Report a vulnerability to security@oralstack.com. We acknowledge within 2 working days and confirm a fix or mitigation timeline within 7.

Compliance posture

What's in place today, what's available on request, what's on the roadmap.

• Live

  Singapore PDPA

  The data model is designed against Singapore PDPA from day one — clinics remain the data controller; Oralstack acts as data intermediary. Tenant-isolated, region-hosted, consent-tracked.

• Live

  HIPAA Privacy & Security Rule alignment

  The platform is built against HIPAA Privacy/Security Rule requirements (administrative, physical, and technical safeguards). Not yet HIPAA-attested by a third party — that is on the 2026 roadmap.

• Available

  Business Associate Agreement (BAA)

  A BAA is available for clinics that require one. Contact hello@oralstack.com to request the current draft for legal review before pilot signing.

• Available

  Data Processing Agreement (DPA)

  A DPA is available for clinics with PDPA, GDPR, or other data-protection-regulation obligations. Includes the controller/processor role model, subprocessor list, and SCC reference where applicable.

• Roadmap

  SOC 2 Type II

  Targeted for second half of 2026. We're tracking the controls today, with a third-party auditor selection in Q3.

• Roadmap

  HIPAA third-party attestation

  Targeted alongside the SOC 2 audit — a single audit window covering both frameworks where the controls overlap.

We don't claim certifications we haven't earned. The roadmap items above are tracked transparently and updated on this page.

Legal documents

Contracts, processing agreements, and the subprocessor list.

• Marketing-site privacy noticeCookie policy, marketing analytics, contact-form data — covers oralstack.com only.
• Marketing-site termsTerms of use for the public marketing site.
• Master Service Agreement (product)Pilot and production customer contract. Sent on request.
• Data Processing AgreementController / processor role model, subprocessors, SCCs. Sent on request.
• Business Associate AgreementFor clinics requiring HIPAA-aligned safeguards.
• Subprocessor listGoogle Cloud (Singapore region · primary infra), Cloudflare (CDN, marketing site), Resend (transactional email), Twilio (SMS fallback), WhatsApp Business via Meta. Updated alongside the DPA.

The marketing-site Privacy and Terms cover oralstack.com only. Product customers sign the MSA and any required BAA / DPA before pilot start.