Security overview

Security is load-bearing at Test2Sheet Enterprise.

We handle health data for clinical and operations teams. Here is how it is secured, technically and operationally.

Effective May 19, 2026support@test2sheet.com

Infrastructure and hosting

Your data is encrypted everywhere it lives and moves. All data in transit is protected by TLS. All data at rest is encrypted with AES-256 managed by Supabase, our infrastructure provider for database, authentication, and object storage.

Development, staging, and production are completely separate environments at the infrastructure level, not just by convention. Production data never enters a staging or development environment.

Tenant isolation

One organization cannot read or write another organization's data. This guarantee is enforced by PostgreSQL row-level security policies at the database layer, not only in application code. Even a compromised or buggy application layer cannot cross tenant boundaries.

Isolation covers every table that holds patient health information: patients, reports, biomarker results, exports, audit events, and storage paths. Changes to these policies require explicit review before deployment.

Access controls and authentication

Only the right people can reach the right data. Every staff member has an individual account. Shared accounts are not permitted. Access is governed by five distinct roles (owner, admin, reviewer, uploader, integration), each with narrowly scoped permissions enforced at the database layer.

  • The privileged roles owner, admin, and reviewer must enable multi-factor authentication before accessing live patient data.
  • Sensitive operations such as member-role changes, API key creation, and bulk exports require recent re-authentication.
  • Service-role credentials are never sent to the browser. All privileged operations run server-side only.
  • Integration API keys are scoped to a single organization and can be revoked at any time without affecting other organizations.

File storage

Uploaded lab-report PDFs are never publicly accessible. All files are stored in private, organization-scoped storage buckets. No lab report can be reached without an authenticated, authorized session.

Patient-identifying information is not embedded in storage paths or object keys. The original lab filename is stored separately. Files are served to authorized reviewers via short-lived signed URLs that expire after the session.

Audit and logging

Every significant action on patient data is recorded and cannot be altered after the fact. The audit log is append-only. Non-admin roles cannot modify or delete entries. Each record captures the acting user, organization, action type, target entity, and timestamp.

  • Report uploads and parse job creation
  • Biomarker result edits and review status changes
  • Report approvals and rejections
  • Data exports
  • Member-role changes
  • API key creation and revocation
  • Patient health information is never written into application logs, error messages, analytics payloads, or URLs.

Secrets and credentials

Production credentials are not stored in code and are never accessible to the browser. All secrets, including database credentials, API keys, and signing keys, are managed through a hosted secret store. Committing environment files containing secrets is blocked by repository policy.

API keys for downstream integrations are issued per organization, limited to reading approved data, and can be revoked immediately without affecting any other organization.

Compliance posture

Test2Sheet Enterprise is built to a HIPAA-ready, GDPR-aware, and Swiss revFADP-aligned control baseline. We do not claim to be 'HIPAA compliant,' 'GDPR compliant,' or 'SOC 2 certified' unless an independent review supports that specific claim. We have not yet completed a formal SOC 2 audit, but we build controls so that evidence is available for a future audit when commercially needed.

Our current posture by customer jurisdiction:

  • US customers in a covered healthcare workflow: contact us to discuss Business Associate Agreement availability before onboarding patient data.
  • EU/EEA customers: we operate under the Swiss Federal Act on Data Protection (revFADP) and support Standard Contractual Clause arrangements for cross-border transfers.
  • Australian customers: we build to Australian Privacy Principles (APP) alignment as a default baseline, including APP 11 security requirements.
  • Enterprise security questionnaires: contact support@test2sheet.com. We maintain a template and respond to custom vendor questionnaires for procurement reviews.

Responsible disclosure

If you discover a security vulnerability in Test2Sheet Enterprise, please report it to support@test2sheet.com before public disclosure. We aim to respond within two business days and will coordinate a responsible disclosure timeline with you.

We do not currently offer a formal bug bounty program, but we take all reported vulnerabilities seriously and will acknowledge good-faith researchers.