Security and data protection.
Recavora is designed with the principle that access requires explicit consent — not just authentication. Being a verified organization, a verified professional, or a registered user does not grant access to another patient's data without an explicit, consent-based disclosure.
Core principle
Access requires consent. Always.
Most healthcare systems treat authentication as the gate to data: once you've proven who you are, you can see what your role allows. Recavora is different. Authentication is the entry point — not the permission. Every read of a patient record requires an explicit, patient-issued disclosure or an active role on the profile.
Three boundaries
Verification ≠ Access. Identity ≠ Permission. Organization ≠ Ownership.
Three principles enforced throughout the platform — visually distinct from a normal portal because the underlying access model is fundamentally different.
Verification ≠ Access
Being a verified clinic, lab, or professional signals legitimacy. It does not grant access to patient records. Access requires an explicit, consent-based disclosure from the patient.
Identity ≠ Permission
Knowing who someone is — even with verified credentials — is not the same as being permitted to view a record. Permission is granted by the patient, per disclosure.
Organization ≠ Ownership
Patients own their records — including the ones contributed by clinics, labs, or employers. Contributing to a record does not give an organization rights over it.
The boundary diagram
Each boundary is enforced in the database, the application, and the consent workflow.
Architecture
How the boundaries are enforced
Row-level security
Recavora enforces row-level security on every record. Database queries can only return data that the requesting user is explicitly authorized to see.
Workspace separation
Family, professional, clinic, laboratory, and reviewer workspaces are isolated. A workspace cannot read records belonging to another workspace without a patient-issued disclosure.
Disclosures are immutable
Every disclosure — what was shared, with whom, and when — is logged as an immutable record. Disclosures cannot be silently altered or deleted.
Auditability
All disclosures logged. All consent history visible.
Consent history always available
Patients can see every disclosure they have created — active, expired, or revoked — along with access logs for each one. The full consent history is always available in the patient profile.
Activity logging for contributions
Every record or imaging study contributed by a clinic, lab, or professional is logged with the sender, recipient, timestamp, and acceptance outcome. Visible to both sides.
Recavora avoids making unsupported claims regarding certifications, regulations, compliance programs, or security standards. Our security posture is described in terms of what the platform does — not in terms of accreditations.
Shared commitment
Security is part of stewardship
Built for continuity that stays patient-controlled
Security works when patients, families, and care teams coordinate intentionally — and when the platform refuses to bypass that coordination, even for verified parties.
Recavora provides protections. The decisions remain human.
