Security at CareCost Explorer

1. Data Architecture

CareCost Explorer serves publicly available healthcare pricing data derived from Machine-Readable Files published under the federal Transparency in Coverage Rule. No Protected Health Information (PHI) is collected, stored, processed, or transmitted. The data we host contains no patient-identifiable information.

2. Encryption & Transport

• •All traffic is served over HTTPS with TLS encryption in transit.
• •HTTP Strict Transport Security (HSTS) is enforced, along with X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and a strict referrer policy.

3. Authentication & Access Control

• •Authentication is managed by Supabase, which handles password hashing and session tokens.
• •Access to the application requires a valid account and an active paid license.
• •Internal access to infrastructure follows least-privilege principles, restricted to what each role requires.

4. Payments

All payments are processed by Stripe, a PCI-DSS Level 1 certified provider. We never see or store your credit card number. Card data is collected and stored entirely within Stripe’s environment; we retain only a non-sensitive reference to the resulting subscription or purchase.

5. Data Provenance

All rate data is derived from publicly available, federally-mandated transparency files. No proprietary patient or provider records are used. See our Methodology page for full sourcing detail.

6. Responsible Disclosure

If you discover a security vulnerability, please report it to hello@carecostexplorer.com. We take every report seriously and will respond promptly.