Security and data protection.

Recavora is designed with the principle that access requires explicit consent — not just authentication. Being a verified organization, a verified professional, or a registered user does not grant access to another patient's data without an explicit, consent-based disclosure.

Core principle

Most healthcare systems treat authentication as the gate to data: once you've proven who you are, you can see what your role allows. Recavora is different. Authentication is the entry point — not the permission. Every read of a patient record requires an explicit, patient-issued disclosure or an active role on the profile.

Three boundaries

Verification ≠ Access. Identity ≠ Permission. Organization ≠ Ownership.

Three principles enforced throughout the platform — visually distinct from a normal portal because the underlying access model is fundamentally different.

Verification ≠ Access

Being a verified clinic, lab, or professional signals legitimacy. It does not grant access to patient records. Access requires an explicit, consent-based disclosure from the patient.

Identity ≠ Permission

Knowing who someone is — even with verified credentials — is not the same as being permitted to view a record. Permission is granted by the patient, per disclosure.

Organization ≠ Ownership

Patients own their records — including the ones contributed by clinics, labs, or employers. Contributing to a record does not give an organization rights over it.

The boundary diagram

Verified
Access
Identified
Permitted
Contributed
Owned

Each boundary is enforced in the database, the application, and the consent workflow.

Architecture

How the boundaries are enforced

Row-level security

Recavora enforces row-level security on every record. Database queries can only return data that the requesting user is explicitly authorized to see.

Workspace separation

Family, professional, clinic, laboratory, and reviewer workspaces are isolated. A workspace cannot read records belonging to another workspace without a patient-issued disclosure.

Disclosures are immutable

Every disclosure — what was shared, with whom, and when — is logged as an immutable record. Disclosures cannot be silently altered or deleted.

Auditability

Consent history always available

Patients can see every disclosure they have created — active, expired, or revoked — along with access logs for each one. The full consent history is always available in the patient profile.

Activity logging for contributions

Every record or imaging study contributed by a clinic, lab, or professional is logged with the sender, recipient, timestamp, and acceptance outcome. Visible to both sides.

Recavora avoids making unsupported claims regarding certifications, regulations, compliance programs, or security standards. Our security posture is described in terms of what the platform does — not in terms of accreditations.

Shared commitment

Security is part of stewardship

Built for continuity that stays patient-controlled

Security works when patients, families, and care teams coordinate intentionally — and when the platform refuses to bypass that coordination, even for verified parties.

Recavora provides protections. The decisions remain human.