Security architecture
Security evidence, on the record.
Moirai keeps clinical AI governance records isolated, encrypted, exportable, and verifiable. The security story is not a badge wall. It is a chain of custody a buyer can inspect.
Primary dataSydney AU
Practice scopeRLS enforced
Evidence custodyHash logged
PHI policyProhibited
Control plane
Active layer
Every record is filtered twice.
Follow-Up Evidence Pack
source record
evidence hash
reviewer mark
export ledger
Proof
RLS enforced
Ref
scope:practice
Application permission checks derive the practice from the authenticated profile, then database RLS enforces the same boundary at table level.
Current postureCertification limits stated
The useful version of trust is specific.
Security pages fail when they only say the safe words. This surface states what exists, what is prohibited, what is independently certified by vendors, and what Moirai has not yet completed.
policy boundary
PHI prohibited
records
metadata only
buyer path
DPA + room
IsolationPractice-scoped
Authenticated reads and writes are scoped through Supabase session cookies, server-side permission checks, and Row Level Security policies.
CustodyExport logged
Full exports and entity exports require audit permissions, are rate-limited, and append reviewer-visible activity events.
PHI boundaryProduct policy
Moirai is designed for governance metadata. PHI is prohibited and evidence uploads include conservative review flags.
CertificationRoadmap
Moirai does not yet hold SOC 2 or ISO 27001 certification. Current posture, limits, and planned assurance work are published in the Evidence Room.
Control map
Four layers buyers actually ask about.
The architecture reads from identity to public verification. Each layer exists because clinical governance records are sensitive even when they contain no patient data.
01
Identity and session
Supabase Auth issues httpOnly cookies. Protected routes refresh sessions through middleware before page or API access.
Cookie-based sessionsNo public service-role keysAPI 401 JSON boundary
02
Practice isolation
Application permissions derive the practice from the authenticated profile. Database RLS remains the second lock, not the only lock.
RBAC checked server-sidePractice-scoped RLSNo client-trusted role
03
Evidence custody
Uploads are validated for type, size, integrity hash, and PHI-risk signals before they can contribute to a Follow-Up Evidence Pack.
MIME and size validationSHA-256 file hashPHI review state
04
Public verification
The verifier exposes only PHI-excluding metadata for hashes, report IDs, and evidence events.
Zod validation firstRate-limited lookupExplicit safe fields
Data boundary
Governance data only.
Moirai is designed for governance metadata: AI tools, owners, approvals, evidence references, policies, reviews, and exports. Patient-identifiable health information is outside product policy.
PHI prohibited by product policyGovernance metadata only
Policy referenceSEC-REF-2026docs/SECURITY.md01Practice userAuth session
02Server guardPermission check
03RLS policyPractice scope
04File exportActivity logged
Sub-processors
The vendor layer is not hidden.
Due diligence should not require email archaeology. The review path links the DPA, security limits, and public verifier.
| Provider | Purpose | Location | Assurance |
|---|---|---|---|
 Supabase | Database, authentication, storage | Sydney, AU (ap-southeast-2) | SOC 2 Type IIHIPAA |
 Vercel | Hosting, edge, serverless functions | Sydney PoP, global edge | SOC 2 Type IIISO 27001 |
 Stripe | Payments and billing | US / EU | PCI DSS Level 1SOC 2 |
Sentry | Error monitoring, performance telemetry | US | SOC 2 Type IIGDPR |
PostHog | Product analytics, feature flags | EU | SOC 2 Type IIGDPR |
Resend | Transactional email delivery | US | SOC 2 Type II |
Loops | Lifecycle email and user communications | US | DPA listed |
 Anthropic | Governance content generation (no patient data sent) | US | SOC 2 Type II |
External references
Mapped means mapped.
These are evidence mapping references and certification roadmap items. They are not claims of regulator approval, clinical validation, or third-party certification.
Australian Privacy Act 1988mapped
OAIC APP Guidelinesmapped
RANZCR Chapter 9mapped
TGA medical-device software guidancemapped
SOC 2 Type IIroadmap
ISO 27001roadmap
Responsible disclosure.
Found a vulnerability? Email the security team directly. We take reports seriously and respond through the incident-response path.
Due diligence
Bring the evidence to procurement.
Open the Evidence Room for current posture, certification limits, sub-processors, documents, DPA, and public verification.