Security & Compliance

Patient data protection, explained plainly

CBCTHub is built for dental clinics and imaging centers that handle patient data. Here is exactly how we protect it — the technology, the policies, and the boundaries we set for ourselves.

Core principles

  • DICOM processing happens locally in the browser. The raw scan never leaves the user's device unless they explicitly share a link.
  • Minimum data collected: only what is needed to run the account and maintain audit trail.
  • Encrypted at rest and in transit. Access controlled by row-level security, scoped to the authenticated user.
  • No ads, no third-party trackers, no data sold or used for training.
  • You own the data. Full export and deletion on request.

Technical safeguards

Encryption in transit

All traffic uses TLS 1.3. HSTS is enforced. Viewer endpoints send COOP/COEP headers so SharedArrayBuffer — required for volumetric rendering — is only enabled on authenticated, same-origin contexts.

Encryption at rest

Scans that the user chooses to upload are stored in Supabase object storage, encrypted at rest. Database rows are protected by row-level security policies that scope every read and write to the authenticated owner.

Authentication

Email + password with magic-link fallback. Password hashes use bcrypt. Sessions are JWT-based with short TTL and refresh rotation. Multi-factor authentication is on the roadmap.

Sharing links

Share links are long random tokens — not guessable. They can be revoked at any time. Optional password protection and expiry. Every link access is logged with timestamp and IP (not shared with third parties).

Audit logs

Every share, delete, export and significant account change is recorded with a timestamp, the acting user, and the affected resource. Logs are retained for the active account lifetime and available for export in regulated jurisdictions.

Regulatory posture

HIPAA

CBCTHub is HIPAA-ready for covered entities and business associates in the United States. We support a Business Associate Agreement (BAA) on Pro and Clinic plans on request. The product architecture — local processing, least-privilege access, audit logs, break-glass controls — implements the core Security Rule safeguards. HIPAA covers both technical and organisational measures; the BAA documents the contractual layer.

GDPR

For users in the EU, EEA and the United Kingdom, CBCTHub acts as data processor. We publish a record of processing activities, support the rights of access, rectification, erasure and portability, and hold a Data Processing Agreement available on request. Storage regions can be pinned to EU when the plan permits.

Regional laws

CBCTHub is used by clinics in Latin America, Europe, North America and Oceania. We align with Chile's Ley 19.628 and the newer Ley de Protección de Datos Personales, Brazil's LGPD, and Canada's PIPEDA. Contracts are available in English and Spanish.

Data lifecycle

Upload: A scan becomes visible to CBCTHub only when the user chooses to save it to their account. Browser-local sessions never touch our servers.

Storage: Encrypted at rest, scoped by row-level security to the owning account. Backups run daily, encrypted, with retention limited to what is needed for disaster recovery.

Sharing: A share link grants read-only access, optionally password-protected, optionally expiring. Revocation takes effect immediately.

Deletion: When a user deletes a scan it is removed from primary storage immediately and purged from backups within 30 days. When an account is closed, all owned data is purged on the same schedule.

Incident response

If a security event is detected that could affect patient data, we follow a documented incident response plan: contain, assess, notify. Affected customers are notified within 72 hours of confirmation, which meets or exceeds GDPR and most state breach notification requirements.

To report a vulnerability, email security@cbcthub.com. We confirm receipt within one business day and keep reporters updated until resolution. Good-faith security research is welcomed.

Shared responsibility

Security is a shared responsibility. CBCTHub is responsible for the platform — encryption, infrastructure, application security. The customer is responsible for:

  • • Using strong, unique passwords and enabling MFA when available.
  • • Controlling who in the clinic has access, and removing access when staff leave.
  • • Obtaining patient consent before sharing scans externally.
  • • Keeping the devices that access CBCTHub up to date and free of malware.

Legal documents

Need a BAA, DPA or security questionnaire response? Email us and we will turn it around quickly.

Privacy policyTerms of servicesecurity@cbcthub.com