Security

Security Overview

A transparent security overview for Preflix AI, covering public-site boundaries, protected workflow boundaries, access control, encryption, and responsible disclosure.

  • Protected workflow planning
  • Least privilege
  • Responsible disclosure
Read Security OverviewReport A Concern
Close-up of secure server hardware with soft indicator lights

Security Model

Preflix AI separates public education pages from protected bill review workflows. Public pages are designed to provide information and route contact requests, while sensitive documents belong in authenticated product surfaces with stronger controls.

Security planning should assume that medical bills can contain protected health information, insurance identifiers, financial details, and family information. The product should limit access and keep a clear audit trail.

Data Protection

Protected workflows should use modern TLS for data in transit, encryption at rest for sensitive storage, secure key management, and scoped service credentials. Backups and logs should avoid unnecessary sensitive content.

Public forms should collect only non-sensitive contact details. If a visitor needs to share documents, support should route them to an approved secure channel.

Access And Monitoring

Administrative access should be limited, reviewed, and logged. Production support workflows should make it clear when a staff member needs access to an account and why.

Monitoring should cover authentication events, document access, permission changes, exports, unusual activity, and infrastructure alerts. Incident response should define triage, containment, notification, and remediation steps.

Responsible Disclosure

Preflix AI should provide a security contact for vulnerability reports and ask researchers not to access, modify, or disclose patient data. Reports should include the affected URL, steps to reproduce, impact, and contact information.

A production program can later add a formal bug bounty, safe harbor language, severity targets, and response timelines.

Clear Boundaries

What This Means In Practice

These commitments keep the public website useful while leaving sensitive, account-specific work to protected workflows.

Encryption

Protected workflows should use encryption in transit and at rest for sensitive documents and account data.

Least Privilege

Internal access should be role-based, logged, reviewed, and limited to the work being performed.

Responsible Disclosure

Security researchers should have a clear route to report vulnerabilities without exposing sensitive data.

FAQ

Common Questions

Short answers for the practical decisions this page is meant to support.

Should vulnerability reports include patient data?

No. Reports should include affected URLs, steps to reproduce, impact, and contact information without accessing, modifying, or disclosing patient data.

Are public pages the same as protected workflows?

No. Public pages are for education and routing, while bill documents and account-specific review should use authenticated product surfaces with stronger controls.

Does this overview claim a completed audit?

No. It describes intended security posture and current controls without claiming SOC 2, HITRUST, or other completed certifications.

Security Contact

Send Vulnerability Reports Through The Contact Page Without Exposing Patient Data

Contact SecurityRead HIPAA