Oralstack

Trust

Security

Oralstack handles dental clinic records. Security is part of how the product is built — not a checkbox at the end. This page describes our current posture honestly. Where we are working toward a control rather than already meeting it, we say so.

  • Tenant isolation

    Every clinic record is tagged with a tenant ID at the database row level. Postgres Row-Level Security policies enforce isolation in the database, not just the application — a missing tenant filter in code cannot cross clinics.

  • Audit log by default

    Reads and writes against patient data are written to an append-only audit log: who, what, when, from where. The log is queryable by clinic admins.

  • Multi-factor authentication

    MFA is required for all user accounts, with TOTP support out of the box. Recovery flows route through a verified channel.

  • Region hosting

    Production is hosted in Singapore (asia-southeast1) on Google Cloud. Patient data does not leave the region without explicit consent.

  • Compliance posture

    The data model is designed with Singapore PDPA and HIPAA Privacy/Security Rule requirements in mind. We are not yet HIPAA-certified or SOC 2-attested; both are on the 2026 roadmap. A Business Associate Agreement is available for clinics that require one.

  • Backups and recovery

    Daily encrypted backups, point-in-time recovery, and integrity-verified restore drills run on a fixed cadence.

Reporting a vulnerability

We acknowledge within 2 working days and confirm a fix or mitigation timeline within 7.

security@oralstack.com →