Security and Compliance

This page summarizes baseline controls used for enterprise Mimic deployments.

Identity and access

Session-based authentication for user access
Organization-scoped authorization checks on data access
Least-privilege role assignment for operators and admins

Secrets and credentials

Credentials stored encrypted at rest
Secrets never persisted in workflow source text
Rotation and revocation procedures supported through admin operations

Data protection

Encrypted transport for API and callback traffic
Audit-traceable run and status history
Scoped access to job evidence and screenshots

Application controls

Zod schema validation at API boundaries
Idempotent webhook handling
Explicit ownership checks for mutation endpoints

Compliance posture

Mimic supports healthcare-oriented deployment requirements through configurable controls and tenant isolation. Final compliance scope depends on customer architecture, policies, and signed agreements.

Customer deployment checklist

Configure SSO or identity policy requirements.
Review retention period for logs and screenshots.
Define incident response ownership and escalation paths.
Validate billing and audit exports required by finance/compliance teams.