Our Intent

We have two aims with our data security; to be secure and transparent.

More specifically, we think you should know the following:

• We always use TLS for transport encryption.
• We only persist data within the AWS London region.
• We minimise the data that we process and persist to that necessary to provide the service, for the duration necessary. This includes; the OAuth tokens for users who sign into the website, the Cliniko API key and the OAuth tokens for Xero connectivity. We also store the Xero and Cliniko practice names and subdomains, so you can visibly check we have the right connections.
• We persist our process logs for 7 days to enable developers to any debug issues. This is limited to pseudonymised IDs (Cliniko appointment and practitioner, Xero Contact), server HTTP response codes, developer debugging statements and the response body of requests only when an error code is returned.
• Our processing is "serverless" so compute is ephemeral, meaning there isn't a server continually holding data in memory.
• Our frontend is hosted on netlify, which only holds the website and no customer data. We monitor it for compromise using cryptographic hashes.
• All JSON Web Tokens (website sign in and Xero OAuth) have their cryptographic signatures, expiry and audience verified on every request.
• If you have any questions about this, spot anything you believe is missing or could be improved, please get in touch with security@bridge31.com.