Skip to main content
EEGBase SecurityPrivacy →

Security posture

Security at EEGBase

We treat security as a clinical-trust requirement, not a compliance checkbox. This page describes our threat model, posture, and disclosure process. Researchers welcome.

🛡 HIPAA
BAA available · audit log retention policy: 7 years (begins on launch)
🔒 SOC 2
Type I scoping with Coalfire (Type II to follow) · Q3 2026 target · report NDA-gated on completion
🎯 Pen-test
Independent web pentest · Q3 2026 target · vendor selection in progress
🇪🇺 Schrems II
EU SCCs (2021/914) · Frankfurt eu-west-3
♿ WCAG 2.2 AA
Deque audit planned Q3 2026 · VPAT 2.4 to follow
🔑 SSO
SAML · Okta · Google · Microsoft Entra
🔐 At rest
AES-256-GCM · keys rotated quarterly
🌐 In transit
TLS 1.3 · forward secrecy · HSTS preload

Threat model

The threats we explicitly defend against:

  • Unauthorized access to PHI — addressed via SSO + 2FA enforcement, IP allowlisting, role-based access control with least-privilege defaults, AES-256 at rest with HSM-backed keys.
  • Data exfiltration via supply chain — addressed via dependency pinning, automated SBOM (CycloneDX), Renovate auto-updates with security review, GitHub branch protection.
  • Compromised clinician device — auto-logout after 15 minutes idle, session token rotation, device-fingerprinted re-auth, suspicious-login email alerts.
  • Webhook tampering — HMAC-SHA256 signed bodies, timestamp window enforcement, IP allowlist available per webhook destination.
  • Cross-tenant data leakage — postgres row-level security on every table, contract tests in CI; internal red-team exercises planned to start once the team is staffed for them.

Vulnerability disclosure

We welcome responsible vulnerability disclosure from security researchers. Email hello@eegbase.com (subject: Security disclosure) or use the security.txt contact.

Our commitment (target SLA):

  • Acknowledge confirmed reports within 24 hours.
  • Triage and patch critical issues within 7 days; we'll keep you informed throughout.
  • Disclose publicly via the status page after coordinated disclosure with affected clinics.
  • Credit researchers in advisories unless you prefer anonymity.

Safe harbor: We will not pursue legal action against researchers acting in good faith. Don't access more data than necessary, don't exfiltrate or share data, don't test in ways that disrupt service.

Bug bounty program launching in a future update. Out of scope today: third-party services (Stripe, AWS, Daily.co), self-hosted deployments outside our control.

EU data sharing

When a Mendi at-home user’s session data flows into an EU clinician’s EEGBase view, EEGBase and Mendi are joint controllers of that personal data under GDPR Art. 26. We treat that as a real legal artifact, not a checkbox.

Before any EU at-home Mendi data lands in a clinical EEGBase view, we will have in place:

  • Joint Controller Agreement (JCA) signed with Mendi — defines who responds to access requests, who notifies on breach, who’s liable for what
  • Data Protection Impact Assessment (DPIA) on file — required for high-risk processing of health + AI under GDPR Art. 35
  • GDPR Art. 9 explicit, purpose-specific consent in the Mendi consumer app — separate consent per clinician, revocable at any time, never a single generic toggle
  • Lawful basis documented per processing activity (consent for at-home sharing, legitimate interest for clinical record-keeping, legal obligation for retention)

Right to erasure (Art. 17) vs clinical retention. EU member states require clinical records to be retained 10–30 years (e.g. France 20y, Germany 10y, Sweden 10y). When an erasure request conflicts with retention, the clinical retention obligation wins for the regulated record; non-essential personal data is removed within 30 days and the user is informed of what was retained and why.

Cross-border transfer. EU clinic data lives in Frankfurt (eu-west-3). When transfer outside the EEA is necessary (e.g. a US clinician credentialed at an EU clinic), EU SCCs (2021/914 Module 2) plus supplementary measures per Schrems II apply.

None of the Mendi-EU pieces are live yet — they gate EU clinic onboarding and the Coaching marketplace, both planned Q4 2026.

Incident response

P0 incident SLA · target on launch:

≤ 15 min
Acknowledgment
≤ 4 h
Mitigation
≤ 5 days
Public RCA

Targets above kick in once a clinic onboards. Breach notification within 72 h per GDPR Art. 33 + HIPAA Breach Notification Rule applies regardless of platform stage. Public incident history will appear on the status page. Subscribe to email updates at hello@eegbase.com.

Compliance documents

The following are NDA-gated. Sign a mutual NDA via hello@eegbase.com to receive on completion:

  • SOC 2 report (Coalfire) — Type I scoping in progress, Type II to follow · target Q3 2026
  • Independent pen-test attestation + remediation log — vendor selection in progress · target Q3 2026
  • HIPAA risk assessment + Security Rule audit (available today)
  • GDPR Data Processing Addendum + EU SCCs (2021/914) (available today)
  • VPAT 2.4 (WCAG 2.2 AA · Deque audit planned Q3 2026)
  • Disaster recovery runbook (available today) · tabletop exercise notes once exercises are run

What you can do today

Concrete steps for clinics setting up:

  • Enforce 2FA for all clinical seats (default on)
  • Configure IP allowlist for clinic-network access
  • Enable SAML SSO via Okta or Google Workspace
  • Subscribe to incident updates by emailing hello@eegbase.com (subject: Status updates subscribe)
  • Audit role assignments quarterly via Settings → Team