Security
Last updated: May 2025 · Pace My Energy™ by Institute for Adaptive Health, L3C
Our approach
Pace My Energy is built on a security-first foundation. We use Supabase as our backend, which enforces encryption in transit and at rest, row-level security, and role-based access control at the database level.
Encryption
- All data in transit is encrypted via TLS 1.2 or higher
- OAuth tokens from wearable integrations (Garmin, Fitbit, Polar) are encrypted using AES-256-GCM via Supabase Vault. Raw token values are never stored in plaintext
- The mobile app communicates exclusively via HTTPS. OAuth tokens are never transmitted in plaintext
Access control
- Row-level security (RLS) is enforced at the Postgres level patients, clinicians, and caregivers each access only their own authorized data
- Clinicians access only their own patients via a care team array. No policy grants cross-patient access
- Authentication uses OTP via email (6-digit code) through Supabase Auth
HIPAA posture
We are actively working toward full HIPAA compliance. Current live controls include access control (RLS per role), information access management (care team model), encryption in transit, encryption at rest for OAuth tokens, and PHI logging rules in our mobile app. We are working toward signing a Supabase BAA, building an audit log, and implementing consent versioning.
Wearable data
All wearable sources normalize to a single standard before insertion into our biometrics table. Raw biometric values are never written to application logs. Supported integrations: Apple HealthKit, Android Health Connect, Garmin, Fitbit, Polar, and manual entry.
Vulnerability disclosure
If you believe you have found a security vulnerability in Pace My Energy, please report it responsibly to info@pacemyenergy.com. We will acknowledge receipt within 48 hours.
Questions
For security inquiries or to request a BAA, contact info@pacemyenergy.com.