Role-based access
Private records and documents are available only to authenticated users with an active portal membership approved for the relevant workspace.
Public security overview
This public page explains security principles only. Detailed architecture, control evidence, incident procedures, and private assessments belong in the screened stakeholder portal.
Private records and documents are available only to authenticated users with an active portal membership approved for the relevant workspace.
Authorization is enforced in the database through Row Level Security rather than relying only on hidden buttons or client-side route checks.
Screened files are stored in private buckets and delivered through short-lived signed URLs after authorization is rechecked.
Public clients receive only a publishable key. Server secrets remain server-side and are never included in browser bundles.
Administrative approvals, document changes, and sensitive access events should be recorded in an append-oriented audit log.
Marketing content, inquiries, portal documents, and participant-level research data should not share one unrestricted data environment.