Architecture & security

Production-grade engineering. Hardened defaults. Defense in depth.

Operations software has to be the most predictable thing in your incident. ctHelixCAD™ is built on a vetted, production-grade stack and a security model that takes every layer seriously — credentials, transport, storage, audit, and operational posture.

Stack at a glance

The whole list.

Client: React, Vite, TypeScript, Tailwind — modern, audited browser surface
Server: Fastify on Node.js (TypeScript end-to-end) — schema-validated routes, secure defaults
Database: Standard SQL backbone — production-grade, replication-ready, hot-standby capable. Same application code, same schema, deploy on the database posture your IT team already supports.
Encryption at rest: AES-256 at rest for the operational database, using vetted, industry-standard primitives. Backups inherit the same encryption posture.
Encryption in transit: TLS 1.2+ for every request; HSTS enforced; no plaintext credentials on the wire
Realtime: Socket.IO over TLS — authenticated namespaces, token-bound subscriptions
SMS: Optional SMS surface for mobile login links and other field workflows. Provider-agnostic and switchable.
Auth: Argon2id for operator passwords and field PINs · role-based permissions with granular scopes · independent mobile auth surface
License crypto: Ed25519-signed license bundles bound to an install ID, with periodic host-attestation check-in
Deployment: Single Linux VM, systemd-supervised. Production and demo can co-host on one machine without shared state.

Engineering decisions

Every choice was deliberate. Here’s the reasoning.

Standard SQL, one application

A production-grade SQL backbone — replication-ready, hot-standby capable, already supported by your DBA team. Standard schema, standard tooling, standard backup pipeline. No proprietary database, no exotic runtime. Your security team and your DBAs recognize every piece of it on first read.

Standard, well-understood stack

No proprietary database, no vendor mesh, no exotic runtime. Standard SQL, standard tooling, standard Linux. Your security team and your DBAs recognize every piece of it on first read — and they can audit, instrument, and harden it with the tools they already trust.

Independent authentication surfaces

The dispatcher console and the field-mobile surface are deliberately isolated — different token shapes, different lifetimes, different scopes, different storage paths. A compromised field PIN cannot escalate into console access. The two surfaces share data, not identity.

Linux + systemd, supervised end-to-end

Every shop already runs it. Crash recovery, log rotation, health checks, and process supervision are handled by the OS — battle-tested code paths instead of a custom orchestrator. There is no new operational surface to staff around.

Application security

Defense in depth, built into every layer.

ctHelixCAD™ treats every layer as a security surface — credentials, transport, storage, audit, and operational posture. Every primitive below is a vetted industry standard, configured with hardened defaults, and exposed to the operator for review.

Authentication & authorization

Argon2id (memory-hard, side-channel resistant) for every credential at rest — operator passwords and field PINs alike.
Role-based access control with granular, agency-scopable permissions. License management sits behind its own permission gate.
Independent authentication surfaces for the dispatcher console and the mobile companion — separate token shapes, separate lifetimes, separate scopes.
Short-lived, sliding session tokens for mobile — never long-lived bearer tokens; tokens age out on idle.
Idle session timeouts on administrative and license-management surfaces.
Rate-limited authentication endpoints with progressive back-off on repeated failure.

Cryptography

AES-256 encryption at rest for the operational database, using vetted, industry-standard transparent or filesystem-level encryption appropriate to the deployed engine.
TLS 1.2+ for every HTTP and Socket.IO connection; HSTS enforced; secure cookies only.
Ed25519-signed license bundles bound to an install ID — a leaked license cannot run on a second host.
Backups inherit the at-rest encryption posture; backup artifacts are themselves encrypted.
No custom cryptographic primitives. Every algorithm is a vetted, widely deployed standard.

Application & API hardening

Schema-validated input on every API surface (Fastify + TypeBox). Malformed or off-spec payloads are rejected before they reach business logic.
Secure-by-default HTTP response headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
CSRF protection on state-changing routes; cross-origin requests are denied by default.
Output encoding throughout the React surface — XSS-resistant rendering rather than ad-hoc escaping.
Least-privilege database role at runtime — DDL and superuser access are never reachable from the application.
Secrets stored outside the operational database — environment, OS keyring, or your existing secret-management system.

Auditability & data protection

Audit log captures every mutation — status changes, assignments, notes, configuration edits, license-management actions — with user attribution and timestamps.
PHI tables (EMS Transport add-on) scoped to the transport module with a distinct PHI audit log.
No telemetry on operational data. No phone-home with incidents, units, rosters, or patients. Crash and diagnostic reporting is opt-in and scrubbed.
Air-gap-friendly deployment — the system operates without outbound calls between periodic license check-ins.
Single-tenant by design — your instance, your database, your isolation. No shared multi-tenant surface to escape from.

EMS Transport add-on

What the add-on adds — and what it deliberately doesn’t.

Customers ask three questions about EMS Transport every time. Here are the three answers.

CAD-only, not a PCR replacement

EMS Transport is a CAD module. It captures what dispatch and the unit owe the record — phase timestamps, service level, destination, mileage. Your patient care report stays where it is.

Capture-and-export billing

CMS-aligned data per transport: HCPCS codes, PCS expiration tracking per patient or template, service level classification. Exported on demand for your billing partner. We don’t produce 837P claims.

HIPAA-aligned protections

PHI tables scoped to the transport module and encrypted at rest. A PHI-specific audit log distinct from the general audit log. Role-gated access, idle session timeouts on administrative surfaces, and least-privilege database roles. Final compliance posture depends on your deployment — talk to us about your framework.

Compliance posture

Production-grade primitives, transparently deployed.

ctHelixCAD™ is engineered with the primitives every framework expects — encrypted storage and transport, hardened authentication, granular RBAC, comprehensive audit logging, single-tenant isolation, and self-hosting. Final compliance against HIPAA, CJIS, FedRAMP-style controls, or any specific framework is always a function of how an environment is operated; we publish what the platform provides so your security team can map it to the controls they own.

Want the architecture diagram for your security review?

We’ll send a one-pager you can drop into your packet, then schedule a call if your team has follow-ups.

Get the architecture pack Read the security stance