Security & Trust

Last reviewed: 23 April 2026

CredsTrack stores credential data for US nurses and the staffing agencies that contract with them. The controls below describe how we protect that data. We document them in plain language so you can evaluate us against your own compliance requirements.

HIPAA posture

CredsTrack is HIPAA-adjacent: nurse credentials are not PHI by themselves, but they travel with identifying information. We apply the §164.312 technical safeguards throughout: per-user access controls, audit logs, encryption at rest, transmission security. A BAA is available for Scale and Enterprise customers on request.

Encryption

Data at rest: Supabase Postgres with AES-256 column-level and disk encryption. License numbers stored in a separate encrypted column (credential_number_enc) keyed by a service secret.

Data in transit: TLS 1.2 minimum for every connection. HTTP Strict Transport Security (HSTS) preload enabled with a two-year max-age.

Authentication & RBAC

Agency-side roles: admin / manager / viewer, enforced by row-level security policies at the database layer so a tampered client cannot bypass them. API keys authenticate via constant-time SHA-256 hash comparison with expiry + per-key rate limits.

Audit logs

Every sensitive action (credential creation, team role changes, admin impersonation, data exports) is logged with user, IP, and timestamp. Logs are retained for six years in line with HIPAA §164.312(b).

Rate limiting

Public and semi-public endpoints (access request, OCR extraction, document upload, billing checkout, webhook inbound) are rate limited per client IP with 429 responses on breach.

SOC 2 roadmap

SOC 2 Type II audit is scheduled for Q3 2026. In the meantime we can provide our self-assessment, policies, and architecture diagrams on request under NDA.

Subprocessors

• Supabase (database + authentication + storage) — PostgreSQL hosting
• Vercel (application hosting) — edge + serverless functions
• Stripe (billing) — subscription and marketplace payments
• Nursys (license verification) — US Board of Nursing e-Notify
• Mailjet (transactional email) — sender of record credstrack.com
• Twilio (SMS, opt-in only) — sender of record credstrack.com
• OpenAI (document OCR) — GPT-4o Vision, no training on our data

Responsible disclosure

Found a vulnerability? Email security@credstrack.com with details. We aim to acknowledge within one business day and fix critical issues within seven days.

Questions or a more detailed security review? Email hello@credstrack.com.