Encryption · transparent policy

Encryption key management

AES-256-GCM at rest · TLS 1.3 in transit · pgsodium per-tenant secret box · 6 key types gestionados · 6 rotation triggers · Shamir 3-of-5 escrow · compliance matrix GDPR/AEPD/NIS2/AI Act transparente. Cifrado serio · NO marketing.

Seguridad overview Vendor risk mgmt Pen testing policy

6 key types · gestión completa

Tipo	Algoritmo	Storage	Rotation	Scope
Database encryption at rest	AES-256-GCM via pgsodium	Supabase managed · transparent encryption	Anual + post-breach · zero downtime via key versioning	Full DB · PII columns adicionalmente per-row encrypted
PII column-level encryption	pgsodium per-tenant secret box	Supabase Vault · per-tenant KEY derivation	Anual + per-tenant on-demand · re-encryption background job	patient_name · phone · email · medical_history · conversation_messages
Application secrets (API keys · tokens)	TOKEN_ENCRYPTION_KEY symmetric (AES-256)	Cloudflare Workers env (encrypted at rest) · NOT in code/repo	Trimestral · blue-green via runbook /rotate-secret	OpenAI · Meta WhatsApp · Stripe · Cal.com · Sentry · Upstash · UptimeRobot
TLS in transit	TLS 1.3 mandatory · TLS 1.2 fallback minimum · NO TLS 1.0/1.1	Cloudflare managed certificates · Let's Encrypt auto-renewal	Automatic 90d · enforced by CA	ALL HTTP traffic landing + worker + webhook + admin · HSTS preload submitted
Webhook signing keys	HMAC-SHA256 · Meta + Stripe + Upstash signing secrets	Cloudflare env separated por provider · zero overlap	Trimestral coordinated con provider rotation · zero downtime via dual-validate window 24h	Meta webhook · Stripe webhook · QStash signing
Backup encryption	AES-256 + per-backup key envelope encryption	Backup KEY separated · NOT same KMS as DB · cross-account isolation	Anual + per-major-incident	Daily Supabase PITR backups · monthly archive offsite

6 rotation triggers

Scheduled · annual minimum

Q1 cada año · audit + rotation pgsodium + TOKEN_ENCRYPTION_KEY + backup keys · runbook ejecutado documentado audit log

Scheduled · quarterly application secrets

Q1/Q2/Q3/Q4 · rotation external API keys (OpenAI · Meta · Stripe · etc) · blue-green per /rotate-secret runbook

Event · suspected compromise

Immediate rotation (≤4h) · access logs review · scope of exposure assessment · client notification si aplica · postmortem mandatory

Event · staff change material

Si engineer leaves o key access changes · 7d window rotation completa · audit access logs prior 90d

Event · vendor breach reported

Rotation immediate vendor-affected keys · audit our usage prior · postmortem con vendor incident timeline

Event · post-major-incident

Si incident severity P0 con potential key exposure · rotation precautionary 24h post-incident

Escrow + disaster recovery · 6 reglas

Key loss = data loss. Strategy balances security (anti-coercion) vs recovery (anti-loss) usando Shamir Secret Sharing + zero-knowledge donde aplica.

Backup KEY split via Shamir Secret Sharing · 3-of-5 threshold · 5 trustees designated (founder + 2 family legal + 2 advisor)
Trustees receive encrypted shares + recovery procedure documented · annual verification still accessible
Recovery process requires 3+ trustees coordinated · NO single point access (anti-coercion · anti-loss)
Per-tenant pgsodium keys NOT escrowed · zero-knowledge architecture · client cannot retrieve si losing all access (acceptable tradeoff documented)
Application secrets escrow vía 1Password Business Vault accessible only founder · backup access via legal succession plan documented
Annual disaster recovery drill tests backup KEY recovery (Q4 · last 2026-02-10 successful)

Compliance matrix · standards coverage

Standard	Coverage
GDPR Art 32 · pseudonymisation + encryption	✓ Cumplido · pgsodium per-tenant + AES-256 at rest + TLS 1.3 in transit · documented `/security`
AEPD Guía Cifrado Personal Data 2024	✓ Cumplido · AES-256 minimum · key rotation documented · NO claves débiles (RC4 · DES · MD5)
NIS2 Directive · encryption requirements	○ Parcial · NIS2 transposition España pendiente · readiness Q3 2026 planned
AI Act Art 10 · data security	✓ Cumplido por encryption · governance gaps in audit logs being addressed Q4 2026
ISO 27001 Annex A.10 · cryptography	○ Roadmap · ISO 27001 certification Q4 2026-Q1 2027 · controls implementados sin formal cert pre-revenue
PCI-DSS · payment data	N/A · Stripe maneja tokenization · we NEVER store PAN · scope reduced to SAQ-A merchant

Known gaps · transparent disclosure

7 secretos pendientes rotation (post-Sprint Hardening backlog): OpenAI v3 · Upstash · QStash signing+token · GitHub PAT · TOKEN_ENCRYPTION_KEY · Meta Permanent · UptimeRobot. Status: HIGH priority · founder + Claude 1d effort · target completion >semana actual.

HSM dedicated: actualmente keys gestionadas Cloudflare/Supabase managed services · NO HSM dedicado. Roadmap Q2 2027 si client Enterprise lo requiere contractualmente. Trade-off documented: managed simpler vs HSM more sovereign.

Client-managed keys (BYOK): NOT supported actualmente · roadmap pre-Enterprise tier. Útil clínicas largas con compliance custom requirements.

¿Tu CISO necesita key management deep-dive?

Para procurement Enterprise · architecture diagram detallado · pgsodium implementation review · key derivation function docs · BYOK roadmap · disponibles bajo NDA. Acelera security review pre-contract.

Solicitar deep-dive Seguridad Compliance roadmap