Per-user data isolation
Supabase Auth plus row-level policies enforce user-scoped reads and writes.
Security and Trust
Built for sensitive health context
Cora protects user data through layered technical controls and explicit clinical boundaries, with a roadmap for full enterprise compliance operations.
Webhook integrity checks
Inbound Twilio traffic is accepted only when request signatures validate.
Secret and token protection
Verification codes and API tokens are stored as hashes, not plaintext credentials.
Private media access
Ingested files use private storage and time-limited signed URLs for controlled retrieval.
Server-side privileged operations
Service-role actions stay on trusted server routes and worker runtimes only.
Compliance posture
- ●Cora is built with a privacy-first, HIPAA-aligned architecture.
- ●Production HIPAA compliance requires formal BAAs, policy controls, training, and audits.
- ●Cora is positioned as educational wellness support, not clinical diagnosis or treatment.
Operational readiness focus
- ●Vendor risk reviews and subprocessor inventory
- ●BAA execution and renewal process
- ●Incident response and breach-notification playbooks
- ●Access review, key rotation, and least-privilege controls
- ●Audit logging and retention policy governance
Security-first by default
Explore the product architecture or create your account and begin onboarding.