Security & Compliance
RapidRef Platform · Whiteframe LLC · Gloucester, Virginia
Current as of platform version 1.0
This page describes RapidRef's current security practices, data handling posture, and compliance position. It is intended for organization administrators, IT personnel, and procurement teams evaluating the platform for deployment.
Platform Overview
RapidRef is a clinical reference and operations platform for emergency services agencies. It is designed to organize and distribute protocols, medications, checklists, calculators, and field reference materials to authorized personnel. The platform operates as a software-as-a-service product hosted on modern cloud infrastructure.
RapidRef is a reference tool. It is not an electronic patient care reporting system, a clinical documentation platform, or a patient records management system. The platform is not designed or intended for the entry, storage, or transmission of patient-identifying information in its current form.
Current Compliance Posture
RapidRef does not currently process Protected Health Information (PHI) as defined under HIPAA. The standard platform is not configured as a HIPAA-covered environment, and no Business Associate Agreement is required for standard tier deployments.
In its current form, the RapidRef platform handles the following categories of data:
- Organization account data — agency name, administrator contact information, and billing details
- User account data — names, email addresses, and role assignments for authorized personnel
- Device identifiers — used for access management and remote revocation
- Clinical Content — protocols, formularies, procedures, and reference materials uploaded by the organization
- Usage and activity data — aggregated analytics on content access and feature usage within the organization
None of the above categories constitutes Protected Health Information under HIPAA. RapidRef does not collect, store, or process patient names, dates of birth, medical record numbers, encounter data, or any other patient-identifying information.
HIPAA and Future Integrations
Whiteframe LLC recognizes that emergency services organizations operate within a regulated healthcare environment, and that future platform capabilities may intersect with HIPAA-covered data flows.
Specifically, we anticipate that future versions of RapidRef may support optional integrations with third-party electronic patient care reporting (ePCR) platforms and similar clinical documentation systems. Any such integration would, by its nature, involve the handling of Protected Health Information and would require appropriate technical, administrative, and legal safeguards.
Prior to the release of any feature that would cause RapidRef to function as a Business Associate under HIPAA, Whiteframe LLC will:
- implement the required technical safeguards, including appropriate access controls, audit logging, encryption at rest and in transit, and data segmentation;
- make a HIPAA Business Associate Agreement (BAA) available to affected organizations prior to enabling any such functionality;
- update this security documentation and provide advance notice to existing customers before any change in the platform's PHI handling posture takes effect; and
- ensure that any third-party subprocessors involved in PHI handling are subject to appropriate Business Associate agreements.
Organizations with questions about the timeline or scope of planned ePCR integrations are encouraged to contact us directly.
Infrastructure and Hosting
The RapidRef platform is hosted on industry-standard cloud infrastructure. Data is stored and processed within the United States.
| Component | Provider / Detail |
|---|---|
| Backend & Database | Supabase — PostgreSQL with enterprise-grade security, row-level security policies, secure JWT-based authentication, automated backups with point-in-time recovery. SOC 2 compliant. |
| Admin Dashboard | Vercel — secure global content delivery with automatic HTTPS, DDoS protection, Web Application Firewall (WAF), automatic SSL/TLS certificates. SOC 2 compliant. |
| Authentication | Supabase Auth — JWT-based authentication with customizable user roles and permissions, secure credential hashing |
| Payment Processing | Stripe — PCI DSS Level 1 certified; no payment card data touches RapidRef systems |
| Push Notifications | Expo / Firebase — device tokens only; no clinical content transmitted |
| Error Monitoring | Sentry — receives technical error and performance data; no personal or clinical data |
| Data Region | United States |
| Encryption in Transit | TLS/SSL enforced across all endpoints |
| Encryption at Rest | AES-256 via hosting provider defaults |
| API Security | Secure API endpoints with DDoS protection and rate limiting |
Access Controls
5.1 Authentication
All user accounts are protected by email and password authentication. Passwords are stored using industry-standard hashing and are never stored or transmitted in plain text. Organization administrators can manage user access directly through the platform dashboard.
5.2 Role-Based Access
The platform supports role-based access controls at the organization level. Administrators can assign and revoke access, manage device authorization, and segment access by group, station, or division depending on the subscription tier.
5.3 Device Management
Each device that accesses the platform is registered and tracked. Organization administrators can remotely revoke device access at any time — including for offboarded personnel or lost devices — without requiring action from the end user.
5.4 Administrative Access
Whiteframe LLC staff access to production systems is restricted to authorized personnel and is limited to what is necessary to operate and support the platform. Internal access is logged and reviewed.
Data Practices
6.1 Clinical Content
All clinical protocols, medications, and operational reference materials within the platform are owned by and remain the responsibility of the deploying organization. Whiteframe LLC does not review, modify, or access Clinical Content except as necessary to provide technical support when authorized by the organization.
6.2 No Patient Data
RapidRef does not collect, process, or store patient information of any kind in its current form. The platform has no fields, workflows, or interfaces designed for patient-identifying data entry.
6.3 Analytics
The platform collects aggregated, non-identifying usage analytics to support organization administrators in understanding platform adoption and to allow Whiteframe LLC to improve the product. Analytics data does not include patient information, clinical outcomes, or individual provider identifiers beyond what is necessary for session and device management.
6.4 Data Retention
Organization data is retained for the duration of the active subscription. Upon termination, data is retained for ninety (90) days to allow for export requests, after which it is deleted in accordance with our standard data deletion practices.
Organizational Security Responsibilities
RapidRef is a shared responsibility environment. While Whiteframe LLC maintains the security of the platform infrastructure, organizations are responsible for:
- managing user account credentials and ensuring they are not shared;
- promptly revoking access for personnel who leave the organization or no longer require platform access;
- ensuring that devices used to access the platform are maintained in accordance with the organization's own device management policies;
- reviewing and maintaining the accuracy of Clinical Content within the platform;
- notifying Whiteframe LLC promptly of any suspected unauthorized access or security incident; and
- ensuring that any use of the platform complies with applicable law, including any regulations governing the organization's EMS operations.
Incident Response
Whiteframe LLC maintains an internal incident response process for security events affecting the platform. In the event of a confirmed security incident that affects organization data, we will notify affected organizations in accordance with applicable law and our Terms of Service.
Organizations that suspect unauthorized access to their account or a security incident involving the platform should contact us immediately at the address below.
Enterprise and Custom Compliance Requirements
Organizations with specific compliance requirements beyond what is described here — including those operating under state-specific EMS regulations, CJIS requirements, or other regulatory frameworks — are encouraged to contact Whiteframe LLC to discuss their requirements before deployment.
Enterprise tier customers may request additional documentation, custom data processing agreements, or a review of the platform's security posture. Whiteframe LLC will work in good faith to accommodate reasonable enterprise compliance requirements where technically and operationally feasible.