Security

Best practices for HIPAA / GDPR integrations

Best practices for handling CBCTHub API keys and protecting patient data in your integration.

Never hardcode the API key

Use environment variables or a secret manager (AWS Secrets Manager, Vault, Doppler). Do not commit keys to git nor expose them in frontend code.

Do not expose the key to the browser

If your integration has a frontend, all CBCTHub calls must go through your backend. A key exposed in public JS can be stolen and used to fill your storage.

Rotate keys every 3-6 months

Basic hygiene. Create a new key, update the env var, verify it works, revoke the old one.

Use distinct keys per environment

One key for dev, one for staging, one for prod. If one leaks, the blast radius stays scoped.

Patient data (HIPAA/GDPR/LGPD)

CBCTHub is built HIPAA-ready and GDPR-compliant. Data travels encrypted (TLS 1.3) and is stored encrypted in R2. Your system is responsible for obtaining patient consent before uploading. For customers who need a signed DPA, download from cbcthub.com/dpa.

Revoke immediately on suspected leak

If a key was accidentally shared in a public repo, Slack, email or ticket: revoke immediately from Settings → API. Revocation is instant.

← Previous

Code samples

FAQs