Security & Compliance
EyeSurgerySplits implements administrative, physical, and technical safeguards consistent with HIPAA Security Rule requirements. Your patient data is protected at every layer.
AES-256 Encryption at Rest
All patient data is encrypted using AES-256 via the Fernet symmetric encryption scheme. Encryption keys are derived from your password using PBKDF2 with a unique salt.
Bcrypt Password Hashing
User passwords are hashed with bcrypt (12 rounds). Even if the password file is compromised, original passwords cannot be recovered.
Comprehensive Audit Logging
Every login, data access, modification, export, and deletion is recorded in a tamper-evident audit log with timestamps, user identity, and action details.
Account Lockout Protection
After 5 failed login attempts, accounts are automatically locked for 30 minutes to prevent brute-force attacks.
100% Local Data Storage
Patient data never leaves your machine. The only network communication is for account authentication and subscription management — no PHI is transmitted.
Role-Based Access Control
Multi-user support with role-based permissions. Administrators can create accounts, manage users, and review audit logs.
Secure Session Management
Sessions use cryptographically random tokens with configurable timeout. Inactive sessions are automatically terminated.
Encrypted Data Export
When security features are enabled, exported data maintains encryption. Audit logs track all export events.
Data Architecture
Patient data stays on your device. Only authentication flows through the cloud.
Your Device
Patient data, videos, case logs (encrypted)
Cloud API
Login, subscription status, app updates
No PHI in the cloud
Questions about security or compliance?
security@eyesurgerysplits.com