Security
Security overview
iMed treats care operations as institution-scoped work. The system is built around server-side authorization, auditable actions, controlled device assignment, and least-privilege access.
Access control
- Authentication is resolved before any workspace opens.
- Institution membership, institution roles, and system privileges are checked server-side.
- Regular users, staff, institution admins, institution owners, and system admins see only the capabilities granted to them.
Operational safeguards
- Care requests, staff actions, device assignments, and voice-session events are recorded with institution context.
- Device setup and patient binding are routed through controlled institution and system-admin workflows.
- Security-sensitive database operations use row-level security, explicit grants, and audited service boundaries.
Infrastructure posture
- Hosted services are configured for authenticated API access and scoped operational data paths.
- Secrets and provider credentials belong in managed environment configuration, not client bundles.
- Operational logs and telemetry are used to investigate failures, suspicious behavior, and delivery reliability.