ExomeDNAExomeDNA
Read your report

Security Information

ExomeDNA is committed to protecting your genetic data with industry-leading security practices and compliance with international data protection regulations.

1. Data Encryption

Client-Side Encryption (Before Upload)

  • Algorithm: AES-256 (Advanced Encryption Standard, 256-bit key)
  • Encryption Location: Your browser (DNA file never leaves your device unencrypted)
  • Key Management: Unique encryption key per user, stored securely in database
  • Result: Even if intercepted during upload, DNA data is unreadable without your key

Data in Transit (HTTPS/TLS 1.3)

  • Protocol: TLS 1.3 (Transport Layer Security, latest version)
  • Certificate: SSL/TLS certificate from trusted Certificate Authority
  • Cipher Suites: Strong encryption only (AES-GCM, ChaCha20-Poly1305)
  • Result: All data transmitted between your browser and our servers is encrypted

Data at Rest (Database Encryption)

  • Database: Supabase (PostgreSQL) with AES-256 encryption at rest
  • Backup Encryption: All database backups encrypted with AES-256
  • Key Rotation: Encryption keys rotated automatically by Supabase
  • Result: Stored data is encrypted on disk, protected against physical theft

2. Access Control & Authentication

Row-Level Security (RLS)

Supabase Row-Level Security (RLS) policies ensure users can ONLY access their own genetic data:

  • User Isolation: Database queries automatically filtered by user ID
  • No Cross-User Access: User A cannot query User B's genetic data (enforced at database level)
  • Admin Restrictions: Even admins cannot access raw genetic data without explicit consent
  • SQL Injection Protection: RLS prevents unauthorized data access via SQL injection

JWT Authentication

  • Token Type: JSON Web Tokens (JWT) issued by Supabase Auth
  • Session Duration: 30 minutes (auto-refresh with user activity)
  • Token Signing: Tokens signed with HS256 algorithm (256-bit secret key)
  • Verification: Every API request validates JWT signature and expiration

Multi-Factor Authentication (MFA)

Status: Supported via Supabase Auth (TOTP - Time-based One-Time Password)

Recommendation: Enable MFA in your account settings for enhanced security

3. Security Audit Results

Latest Audit: November 2025

Comprehensive 1,084-line security audit covering authentication, API security, infrastructure, code security, and GDPR compliance.

0

Critical Issues

0

High-Priority Issues

2

Medium Recommendations

1

Low-Priority Fixes

📄 View Full Security Audit Report (November 2025) →

Audit Scope

  • Authentication & Authorization (Supabase Auth, RLS policies)
  • API Security (XSS, CSRF, SQL Injection, Input Validation)
  • Infrastructure Security (CSP, Error Tracking, Audit Logging)
  • Code Security (Dependency vulnerabilities, Secrets exposure)
  • GDPR Compliance (Articles 5, 12-22, 25, 30, 32-34)
  • Genetic Data Protection (Article 9 special category data)

Security Certifications

  • GDPR Compliant: 71% complete (10/14 articles fully implemented)
  • CCPA Ready: California Consumer Privacy Act compliance (data deletion, portability)
  • GINA Compliant: Genetic Information Nondiscrimination Act (no insurance/employment data sharing)
  • ISO 27001 (Supabase): Our infrastructure provider is ISO 27001 certified

4. Vulnerability Reporting

🔒 Responsible Disclosure Program

If you discover a security vulnerability in ExomeDNA, please report it responsibly. We appreciate your help in keeping our users' genetic data safe.

How to Report a Vulnerability

  • Email: security@exomedna.com
  • Subject Line: "[SECURITY] Brief description of vulnerability"
  • Include:
    • Description of the vulnerability and potential impact
    • Steps to reproduce (proof-of-concept)
    • Affected URLs, endpoints, or components
    • Your contact information (for follow-up questions)
  • Response Time: We will acknowledge your report within 48 hours
  • Resolution Time: Critical vulnerabilities patched within 7 days

What NOT to Do

  • Do NOT publicly disclose the vulnerability before we've had time to patch it
  • Do NOT attempt to access or modify other users' genetic data
  • Do NOT perform denial-of-service (DoS) attacks or load testing without permission
  • Do NOT exploit vulnerabilities for personal gain

Bug Bounty Program

Status: Under consideration (not currently offered)

For now, we appreciate responsible disclosure and will publicly acknowledge security researchers who report valid vulnerabilities (with permission).

5. Compliance & Regulations

GDPR (General Data Protection Regulation)

  • Article 9: Special category data (genetic data) protection with explicit consent
  • Article 13: Privacy Policy transparency (all 11 requirements met)
  • Article 15-22: User rights (access, deletion, portability, rectification)
  • Article 30: Audit logging and record-keeping (7-year retention)
  • Article 32: Security measures (encryption, access control, pseudonymization)

CCPA (California Consumer Privacy Act)

  • Right to Know: Users can request all data we collect about them
  • Right to Delete: Users can request deletion of all genetic data
  • Right to Opt-Out: We do not sell personal data (no opt-out needed)
  • Right to Non-Discrimination: No penalty for exercising privacy rights

GINA (Genetic Information Nondiscrimination Act)

  • No Insurance Sharing: We never share genetic data with insurance companies
  • No Employment Sharing: We never share genetic data with employers
  • User Control: You control who sees your genetic results (nobody by default)

Educational Use Only (NOT Medical Device)

Important Disclaimer: ExomeDNA is NOT a medical device and is NOT FDA-cleared. Our genetic analysis is for educational and research purposes only.

  • Not Medical Advice: Results should not be used for medical diagnosis or treatment
  • Consult Professionals: Discuss any health concerns with a licensed healthcare provider
  • No FDA Approval: Our analysis methods are not FDA-approved or validated for clinical use

6. Additional Security Measures

  • Content Security Policy (CSP): Prevents XSS attacks by restricting script sources
  • Error Tracking with Data Sanitization: Custom error tracking that NEVER logs genetic data
  • Audit Logging: All genetic data access logged with SHA-256 hashed user IDs
  • Auto-Deletion: Raw DNA files deleted within 5 minutes of processing completion
  • No Third-Party Access: Genetic data NEVER sent to external APIs (PostHog, OpenAI, etc.)
  • Regular Security Audits: Quarterly penetration testing and code reviews

7. Contact Information

Security Questions: security@exomedna.com

Privacy Questions: support@exomedna.com

General Support: support@exomedna.com

Response Time: Security issues: 48 hours | General inquiries: 3-5 business days

Last Updated: November 2025

Next Audit: February 2026 (Quarterly Schedule)