Skip to main content

PhlebotomySkills

.com

Skip to main content

PhlebotomySkills

.com

Security & trust

What we do, what we don't, and what's available on request.

PhlebotomySkills.com is a study-and-assessment platform. We process exam-prep responses, lesson progress, and account email/auth - not protected health information. This page lays out our actual posture so a procurement team can evaluate us without guessing.

Data we process

  • Account: email address, password hash (bcrypt via Supabase Auth), display name, optional country/state for state-requirement personalization.
  • Study progress: lesson completion, quiz scores, weak-area domain tags, study-streak metadata.
  • Billing metadata: Stripe customer ID, last 4 of card via Stripe Customer Portal. We never see or store full card numbers.

Data we do NOT process

  • Protected Health Information (PHI). We are not a clinical system. We do not handle patient records, lab orders, or specimen results in any production capacity.
  • Payment card numbers. Card data is collected and tokenized by Stripe; we receive only the customer ID and the success/failure event.
  • Government identifiers (SSN, driver's license, passport) - never collected.

Encryption

  • In transit: TLS 1.2+ enforced on every endpoint via Vercel's edge network. HSTS preload header set; subdomains included.
  • At rest: Supabase Postgres encrypts data at rest using AES-256. Backups and read replicas inherit the same encryption.
  • Secrets: Server-side keys (Stripe secret, Supabase service key, Resend, Claude API) live in Vercel environment variables; never exposed to the client bundle.

What we hold (and don't)

  • SOC 2 Type II report: not currently held. We are a small, single-operator platform; the audit cost is not yet justified by our scale. We will be honest about this when a buyer asks.
  • HIPAA BAA: available on request. Because we do not process PHI, the BAA is a contractual safety net for buyers whose vendor onboarding requires one regardless of scope.
  • HECVAT, CAIQ, security questionnaire: available on request. Email sales for the current version.
  • Penetration test summary: not currently published. We rely on Vercel's edge-network protections, Supabase's managed Postgres security, and standard secure-coding review.

Who we are

Legal entity: PhlebotomySkills.com is operated as a sole proprietorship in the United States.
Founder: Anonymous by choice; the platform is built and maintained by a working clinical-laboratory technician. Content is cited inline to CLSI standards and the ASCP BOC content guideline so credibility flows from sourced material rather than personal brand.
Where we run: Vercel (hosting + edge), Supabase (database + auth), Stripe (payments), Resend (transactional email).

Vulnerability disclosure

Found something? Email security@phlebotomyskills.com with reproduction steps. We respond within one business day. We do not currently run a bug-bounty program but recognize good-faith disclosures publicly on this page if the reporter wants credit.

Procurement teams: for the current security questionnaire, BAA template, encryption details, or any item above, email sales@phlebotomyskills.com. Same-business-day response.