Security shouldn't be a bolt-on feature or an expensive add-on tier. In Zeph, enterprise-grade security is built into every deployment — from the free evaluation all the way to the full CME+ suite.
Encryption Everywhere
Every piece of data in Zeph is protected by AES-256 encryption — both at rest and in transit. But we go further than standard database encryption. Zeph includes application-level PHI encryption using AES-256-GCM with versioned format tags, random initialization vectors, and authenticated encryption. This means sensitive fields are encrypted before they ever reach the database, not just by the database.
Key rotation is built in. When it's time to rotate encryption keys, the system handles it gracefully without downtime or data migration.
Multi-Factor Authentication
Zeph supports TOTP-based multi-factor authentication (compatible with Google Authenticator, Authy, 1Password, and hardware keys) with optional organizational enforcement. Administrators can require MFA for all users or specific roles — and the system won't let anyone bypass it.
Role-Based Access Control
The platform ships with 7 default roles and 10 granular permissions, but the real power is in customization. The RBAC Permission Matrix lets administrators define module-level and submodule-level access for every role — covering 6 modules and 30+ submodules. Dual-listbox user-to-group assignment makes it easy to manage access at scale.
Tab-level access control means restricted case tabs are visually grayed out and functionally disabled per role. Users see exactly what they're authorized to see — nothing more.
Tamper-Evident Audit Trail
Every action in Zeph — every login, every record view, every edit, every download — is logged in an immutable audit trail with SHA-256 integrity chain hashing. If anyone tampers with a log entry, the chain breaks and the system knows.
Audit logs are exportable in JSON and NDJSON formats for SIEM integration (Splunk, ELK, and similar platforms). Verbose detail columns show user role, office, and old-to-new value diffs for every change.
Virus Scanning
Document uploads are scanned through ClamAV integration before they enter the system. Infected files are rejected at the door — not discovered after they've been distributed.
Session Management & Rate Limiting
Sessions are managed through Redis-backed JWT blacklisting with automatic TTL expiry and configurable timeouts. Rate limiting is enforced per-IP with Redis backing, ensuring no single client can exhaust limits for everyone else. Auth endpoints get tighter limits (10 req/min) while general traffic gets a generous 200 req/min ceiling.
HIPAA-Ready by Default
Zeph doesn't charge extra for HIPAA compliance features. Every deployment includes the encryption, access controls, audit logging, and session management that HIPAA requires. We provide a configuration guide that maps Zeph's capabilities to specific HIPAA sections (§164.312 and related), so your compliance team can verify coverage without guessing.