Your patients’ data,
audited & encrypted.
Toothmatrix is built for clinical labs that take security seriously. We publish our compliance posture, sub-processor list, encryption attestation, and a 1-click CISO-grade audit pack — generated live from production.
Who you’re trusting
Where we stand.
We mark each framework honestly: compliant, controls implemented, or aligned. We never claim a certification we don’t hold.
The vendors we use.
Updated quarterly. We give 30 days’ written notice before adding a new sub-processor.
| Vendor | Purpose | Data classes | Location |
|---|---|---|---|
| MongoDB Atlas | Primary application database | case data, user identifiers, audit logs | Multi-region (configurable) |
| Stripe, Inc. | Credit-card processing for credit pack top-ups | payment card metadata (PCI tokens only), billing address | United States / Ireland |
| Google (Gmail SMTP) | Outbound transactional email (magic-link, invoices) | recipient email, case metadata | United States |
| Twilio Inc. | SMS + WhatsApp lab-alert notifications (optional) | phone number, case status updates | United States / EU |
| Emergent Cloud | Application hosting + Kubernetes runtime | all application data (encrypted at rest) | Multi-region |
| Cloudflare, Inc. | DNS, DDoS protection, CDN | IP address (24-hour retention) | Global edge |
TLS 1.2+ in transit · AES-256 at rest · HSTS preloaded · bcrypt-12 for credentials.
Every database query is row-level filtered by tenant_id. Cross-tenant reads are physically blocked at the data layer.
Every administrative action is hash-chained (SHA-256). Modifying any row invalidates every entry that follows it.
Need the full audit pack?
Tenant-admins can download a CISO-grade PDF with hash-chain verification, SBOM, access-control review, and encryption attestation — one click from your admin console.
