HIPAA-safe by design for US/AU practices. DPDP Act 2023-aligned for India. BAA on request. And a tenant-isolation evidence script your IT reviewer can run against our production API.
We don't rely on a single check. Every tenant-scoped table is enforced at the database, the API, and in a regression test that blocks merge.
Every tenant-scoped table — businesses, reviews, posts, review_requests, audit_events — has RLS policies that restrict every read and write to the caller's authenticated business. A mis-authenticated query returns an empty result set, not another tenant's rows.
Every API route resolves a { userId, businessId } context from the session before touching the database. Missing context returns 401. Writing with a mismatched businessId is blocked by RLS at layer 1.
A dedicated test suite asserts that every mutating route chains a .eq('business_id', ctx.businessId) filter. Any PR that removes that filter fails CI before it reaches production.
We publish the same evidence script we run before every release. Your security reviewer can run it against our production API without any access to our codebase.
# What it does:
# 1. Creates two throwaway tenants (A and B)
# 2. Seeds one row in every tenant-scoped table for tenant B
# 3. Signs in as A and attempts three cross-tenant attack shapes
# 4. Verifies every attempt returns zero rows
cd base-app
node scripts/tenant-isolation-evidence.mjs
# Exit code 0 = passed. Exit code 1 = leak detected.Source: docs/SECURITY.md — public, reviewable, versioned.
We don't pretend to be a hyperscaler. We use a small set of audited third parties and tell you exactly what each one touches.
| Provider | What it processes | Region |
|---|---|---|
| Supabase | Postgres database + auth (RLS-enforced multi-tenant) | AWS US-East-1 |
| OpenAI | AI review-reply drafting (text only, no PHI) | OpenAI US |
| Stripe | Subscription billing + invoicing | Stripe US |
| Resend | Transactional email (signup, SLA alerts) | AWS US-East-1 |
| Twilio | WhatsApp + SMS patient messaging (opt-in only) | Twilio US/IN |
| Cloudflare | Edge hosting, DNS, WAF | Global edge |
You can export every review, post, response, and audit event as CSV/JSON from your dashboard at any time. We commit to 90 days of read-only access for export if we wind down. Stripe + Supabase will continue to provide billing/data infrastructure independently.
GrowthPilot is built HIPAA-safe by design — AI replies never confirm patient identity or quote treatment details, audit logs track every data touch, and a Business Associate Agreement (BAA) is available on request for US dental practices on the Growth or Multi-clinic tier.
The /india product is DPDP-aligned: data minimisation in AI prompts, explicit patient consent flows for WhatsApp follow-ups, and a data-deletion API on patient request. Indian clinic data is stored in the same Supabase Postgres but tenant-isolated by RLS.
Yes — we publish an evidence script (Node.js, ~150 lines) that creates two throwaway tenants, attempts every cross-tenant read shape, and reports whether any leaked. Exit code 0 = passed. Your reviewer runs it against our production API with no access to our codebase.
Only authorized users at your clinic. Reviews are scoped to your business_id via Postgres Row-Level Security at the database layer — a mis-authenticated query returns zero rows, not other tenants' data.
Only the public review text and your brand voice settings — never names, contact details, treatment records, or PHI. Each AI draft is generated stateless; we do not train any models on your data.
Email trust@granitereply.com with the security questionnaire — typical turnaround is 48 hours.
Start a 14-day trial