FIRMA handles financial records, client contracts, and — for some customers — protected health information. Security isn’t a feature we added later. It’s the foundation.
Every sensitive route in FIRMA — ledger, banking, NEXUS Board — is gated behind our ALCATRAZ framework. Access is verified on every request at the Vercel Edge before any data is touched. No session can coast on a stale token.
FIRMA enforces NIST AAL2-equivalent multi-factor authentication for all financial and PHI-adjacent routes. Browser caching is disabled on these pages at the CDN level so a cached page can never be served after logout.
FIRMA offers a Business Associate Agreement (BAA) for customers who handle Protected Health Information — including home health operators, medical billing firms, and clinical practices. Contact us to execute a BAA.
All data is encrypted at rest using AES-256. All data in transit is protected with TLS 1.3. Database backups are encrypted and stored with point-in-time recovery. Encryption keys rotate on a scheduled basis.
FIRMA uses Supabase row-level security policies to enforce data isolation at the database layer. A tenant’s data is invisible to other tenants even if application-layer logic fails — the database enforces it directly.
FIRMA is currently undergoing SOC 2 Type II audit (Trust Service Criteria: Security, Availability, Confidentiality). Enterprise customers may request our current security questionnaire and infrastructure documentation.
Found a vulnerability? Have a compliance question? Enterprise customers needing security documentation? Reach out directly.