Encryption
Every byte of data moving between your browser, your patients, and our servers travels over TLS 1.2+ — no exceptions. At rest, the database uses transparent encryption, and sensitive columns — OpenDental API keys, patient names, phone numbers, email addresses, dates of birth, and call summaries — are additionally encrypted at the column level using AES-256-GCM. Keys live in Vercel and Railway environment variables, never in the database.
If our database were ever exfiltrated, the most sensitive fields would still be encrypted at the row level — you'd lose nothing readable.
Conversation transcripts themselves are kept readable so you can review exactly what was said on any call or chat — but the sensitive identifiers tied to them (names, phone numbers, email addresses, dates of birth, and call summaries) are encrypted at the column level as described above.
Row-Level Security (RLS)
Every table that holds practice data has Supabase RLS policies attached. These are enforced by the database itself, not by application code, so even an application bug couldn't cross-leak data between practices.
Application code decides who can read what. A bug or compromised dependency could in principle expose another practice's data.
Audit log
Every meaningful action is recorded in an append-only audit log: settings changes, account deletions, OpenDental connection changes, plan changes, voice calls answered, bookings created. Each entry includes timestamp, actor, IP, and a hash of the relevant payload.
You can request a full audit log export for compliance reviews — email support.
Webhook signature verification
Every inbound webhook from Twilio (voice) and Stripe (billing) is signature-verified before any action is taken. Forged or replayed requests are rejected at the edge.
This prevents an attacker who somehow learned your Salva phone number from injecting fake "calls" into your dashboard.
Rate limiting
All public-facing endpoints (chat API, widget loader, webhook receivers) are rate-limited per IP and per practice via Upstash Redis. Brute-force scraping and high-volume abuse get throttled automatically; legitimate traffic is never affected.
U.S.-only data residency
Database, voice infrastructure, AI providers — everything Salva uses runs on U.S. endpoints. No PHI ever leaves the U.S. for processing. The full list of subprocessors is on the privacy policy.
Account deletion
Cancellation triggers a soft delete; data is retained for 30 days in case you reactivate. After that, all PHI is hard-deleted from the primary database and purged from backups on a rolling 90-day window. The audit trail of the deletion itself is retained per HIPAA's six-year audit requirement.
What you can do on your side
Practice-side security controls multiply ours:
- Use a unique, strong password and enable Clerk MFA on your account
- Lock down your chat widget allowlist to only your real domain(s)
- Limit which staff have admin access in your dashboard
- Sign a BAA — see HIPAA and the BAA
Security is a stack, not a single feature. We build the bottom; you operate the top.
Published May 25, 2026 · Updated June 16, 2026