Security at MyHSAHub

Your medical receipts can reveal sensitive details about your health. We treat that responsibility seriously — protecting your data with multiple layers of security at every level of our platform.

Data Protection

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). We enforce HTTPS across the entire platform with HTTP Strict Transport Security (HSTS).

Encryption at Rest

Sensitive data such as multi-factor authentication secrets is encrypted using AES-based symmetric encryption before storage. Your uploaded files are stored in encrypted cloud infrastructure.

Password Security

Passwords are hashed using PBKDF2, an industry-standard key derivation function. We never store or have access to your plaintext password — not even our team can see it.

Data Masking

Payment card and bank account numbers are masked throughout the application. Only the last four digits are stored and displayed — the full numbers are never retained.

Authentication & Access

Multi-Factor Authentication

Protect your account with optional TOTP-based multi-factor authentication. Use any authenticator app (Google Authenticator, Authy, 1Password, etc.) for a second layer of security.

Brute-Force Protection

Accounts are automatically locked after repeated failed login attempts. Rate limiting is enforced on all authentication endpoints to prevent automated attacks.

Session Management

Sessions expire automatically after a period of inactivity. You can view all active sessions — including device, location, and last activity — and revoke any session at any time.

Email Verification

All accounts require email verification before access is granted. Email changes trigger verification to the new address and a security alert to the previous one.

Application Security

Content Security Policy (CSP)Browser-level headers prevent cross-site scripting (XSS) and code injection attacks.
CORS RestrictionsCross-origin requests are limited to authorized domains only.
Input ValidationAll user inputs are validated and sanitized. File uploads are verified by both extension and MIME type.
SQL Injection ProtectionAll database queries use parameterized statements through an ORM layer — no raw SQL.
File Upload ControlsUploads are restricted by file type, file size, and quantity to prevent abuse.
Secure CookiesSession cookies are configured with Secure, HttpOnly, and SameSite flags.

Security Alerts

We automatically notify you by email when security-sensitive changes are made to your account:

Password changedEmail address changedPhone number changedMFA enabled or disabledAccount deletion requestedNew device login

Infrastructure

Cloud Hosting

MyHSAHub is hosted on Microsoft Azure, which maintains comprehensive compliance certifications including SOC 2, ISO 27001, and HIPAA. Our infrastructure benefits from Azure's physical security, network protections, and redundancy.

File Storage

Uploaded receipt files are stored in Azure Blob Storage with managed encryption. Access to files is controlled through short-lived, signed URLs that expire automatically.

Responsible Disclosure

If you believe you've found a security vulnerability in MyHSAHub, we appreciate your help in disclosing it to us responsibly. Please email us at [email protected] with a description of the issue. We ask that you give us reasonable time to address the vulnerability before making it public.