aestheticIQBetter insights. Better outcomes.
FeaturesHow It WorksPricingAboutFAQ
Sign InGet Started Free

Trust & Safety

Security Overview

Security is foundational to AestheticIQ. Here's exactly how we protect your credentials, your business data, and your practice.

AES-256-GCMTLS 1.2+SOC 2 InfrastructureRBACAudit LoggingCloudflare

Data Encryption

Credentials at rest
AES-256-GCM with scrypt KDF
Data in transit
TLS 1.2+ enforced on all connections
Database encryption
Render managed PostgreSQL — encrypted at rest
Redis cache
Upstash Redis — encrypted at rest and in transit

Authentication & Access

Authentication provider
Clerk — SOC 2 Type II certified
Session management
Secure, HTTP-only cookies with short TTL
Access control model
Role-based: OWNER / ADMIN / MEMBER
Admin operations
Additional authorization layer + audit logging

Infrastructure

Hosting
Render — SOC 2 Type II certified
CDN / DDoS protection
Cloudflare
Database
Render managed PostgreSQL with automated backups
Background jobs
Isolated Python worker on Render Cron

Application Security

HTTP security headers
HSTS, CSP, X-Frame-Options, Referrer-Policy, X-Content-Type-Options
Input validation
Zod schema validation on all API request bodies
SQL injection
Prisma ORM with parameterized queries throughout
Static analysis
Semgrep + SonarCloud on every PR

Monitoring & Response

Error monitoring
Sentry with session replay
Audit logging
Admin operations logged with user, timestamp, and action
Sync monitoring
Automated alerts for failed or stale syncs
Database backups
Weekly automated pg_dump, 90-day retention

How We Handle Your AR Credentials

Your Aesthetic Record username and password are among the most sensitive data we hold. Here is exactly what happens when you enter them:

  1. Client to server: Your credentials travel over TLS — encrypted in transit, never visible to intermediate parties.
  2. Server encryption: The moment credentials arrive, they are encrypted using AES-256-GCM with a key derived via scrypt. The plaintext is immediately discarded from memory.
  3. Storage: Only the encrypted ciphertext is stored in the database. The encryption key is an environment secret on Render — it is never in the database.
  4. Use: During each scheduled sync, credentials are decrypted in memory for the duration of the API call, then discarded. They are never logged, never sent to third parties, and never stored in plain text at any point.
  5. Deletion: When you delete your account or revoke credentials, the encrypted record is permanently deleted from the database.

Responsible Disclosure

If you discover a security vulnerability in AestheticIQ, please report it to us at hello@aestheticiq.ai with the subject line "Security Disclosure." We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities promptly. We ask that you give us reasonable time to address the issue before public disclosure.

This overview reflects our current security posture as of March 2026. We continuously evaluate and improve our security practices.

Privacy PolicyHIPAA StatementTerms of Service