Security And Technical Measures
A plain-language summary of NutriScope security controls, including access control, RLS, server-only secrets, files, payments, AI and operational safeguards.
Audience: Practitioners, clinics, clients and reviewers
NutriScope handles sensitive health-adjacent information. The platform should preserve practical technical and organisational measures before real client records are hosted.
Access Control
- Authenticated practitioner and client roles.
- Relationship-scoped access to clients, trackers, observations, messages, notes, files, bookings and questionnaires.
- Strict production practitioner scope with testing open access disabled.
- Explicit clinic or admin access before private client data is exposed to wider teams.
Data Security
- Encrypted transport using HTTPS.
- Provider-managed encryption at rest where available.
- Private or signed storage for files and meal photos.
- Avoidance of health data in URLs, frontend logs, analytics and third-party telemetry.
- Structured observations to support minimisation, export and deletion.
Secrets And Server Boundaries
- Service-role keys remain server-only.
- Stripe secret keys and webhook secrets remain server-only.
- AI provider keys remain server-only.
- Video provider OAuth tokens are encrypted server-side and not readable through authenticated client policies.
- Webhook endpoints require secret or signature verification before mutating state.
Payments And AI
Paid bookings and packages should use Stripe-hosted checkout and verified webhook events before booking or entitlement state changes. NutriScope should not collect or store raw card details.
AI-assisted review should be optional where required, clearly labelled, minimised to relevant context and reviewed by the practitioner before use.
Incident Response
NutriScope should maintain a breach response process that identifies affected data, preserves evidence, assesses notification duties and supports the 72-hour ICO assessment workflow where applicable.