CalmCheck
Back home
Security

How CalmCheck Protects User Data

This page describes the protections implemented in the current CalmCheck application code. It is intentionally specific and does not claim controls that are not present.

Authentication and sessions

  • Google sign-in is verified on the server using Google's ID-token verification flow.
  • CalmCheck does not receive or store your Google password.
  • Signed-in sessions are stored server-side and the browser receives a session cookie marked HttpOnly.
  • In production, session cookies are also marked Secure and SameSite=Lax.
  • Session tokens are stored in the database as hashes rather than plain text.

Request protections

  • State-changing API routes require a CSRF token.
  • Same-origin checks are enforced for protected mutations.
  • Incoming JSON is validated server-side and request bodies are size-limited.
  • Rate limiting is applied to sensitive routes such as sign-in and symptom checks.
  • First-party analytics ingestion is same-origin only, rate-limited, and validated before storage.
  • Security headers are configured for production hosting.

Storage protections

  • Signed-in history, consent records, sessions, and audit logs are stored server-side.
  • Stored check content such as symptom text, explanations, steps, and related check fields are encrypted at the application layer when PHI_ENCRYPTION_KEY is configured.
  • Audit logs store hashed IP and hashed user-agent values rather than raw values.
  • Analytics events are stored separately from symptom history and are intended for product-funnel measurement rather than medical record storage.
  • Guest-mode history, when enabled, lives in browser localStorage on the user's device.
  • Public-page-to-app symptom handoff uses browser sessionStorage rather than putting symptom text into URL query parameters.
  • The protected app shell is served with Cache-Control: no-store and Referrer-Policy: no-referrer.

AI and safety controls

  • A deterministic Safety Gate runs before the live AI path.
  • Inputs that match emergency-style red flags are blocked from the normal reassurance flow and escalated immediately.
  • Non-emergency checks may be sent to OpenAI when live AI is enabled.
  • Optional voice narration may send the spoken summary text to ElevenLabs when you press play.
  • If OpenAI is unavailable, CalmCheck can use a local fallback engine instead of returning nothing.
  • In HIPAA mode, narration and voice-chat features are disabled.

HIPAA mode

CalmCheck includes an optional HIPAA mode. When it is enabled, the app requires authenticated use before symptom checks can run, disables guest PHI storage, expects application-layer encryption to be configured, disables analytics ingestion and browser notifications, applies configurable retention sweeps, and tracks whether required BAA-related runtime flags are present.

That mode is a technical control set, not a legal certification.

Current limits

  • No software product can promise perfect security.
  • Guest mode is less private on shared devices because browser storage stays on that device until cleared.
  • The current code does not itself guarantee any third-party provider's retention or backup practices.
  • Operational compliance still depends on how the product is deployed and managed.

If CalmCheck's implementation changes, this page should be updated to match the live product.