Security & Compliance

All data is encrypted in transit using TLS 1.3 (HTTPS enforced on all endpoints)

Hosted on Google Cloud Platform with SOC 2 Type II compliance, automatic encryption at rest, and managed security controls

Database hosted on Cloud SQL with automated backups, point-in-time recovery, and private networking

File uploads stored in Cloud Storage with signed URLs and access-controlled delivery

Passwords hashed using bcrypt with unique per-user salts (plaintext passwords are never stored)

Email verification required before account activation

Identity verification via Stripe Identity (government ID + selfie) — we never store your identity documents

Account lockout after 5 failed login attempts (15-minute cooldown)

Session tokens with secure, HttpOnly, SameSite cookie attributes

Role-based access control: public visitors, registered users, NDA-verified researchers, and administrators

Research track content gated behind NDA signature and identity verification

Admin approval required for sensitive operations (reimbursements, trial verification, access exceptions)

Email domain gating — corporate/institutional emails required, with manual review for exceptions

Comprehensive audit logging of all user actions (logins, submissions, data access, admin operations)

Rate limiting on authentication endpoints (login, registration, password reset) to prevent brute-force attacks

CSRF protection via Origin/Referer header validation on all state-changing requests

Input validation and length limits on all user-submitted data to prevent injection attacks

Data export available upon request — receive all your data in machine-readable format

Deletion requests honored within 30 days via the Request Deletion page

Minimal data collection — we only collect what is necessary for Platform operation

Cookie consent — analytics cookies loaded only after explicit opt-in

Full Privacy Policy with PIPEDA, PIPA, and GDPR compliance details