Skip to content
MediCaine compound numbing cream brand markMEDICAINE
DATA HANDLING

SECURITY & DATA

How MediCaine handles provider PII, license verification, payment information, and order records — encryption, access control, and the SOC 2-oriented controls that govern our infrastructure.

Data we collect

When you order MediCaine, we collect the information needed to verify your license, compound your order, ship it to your practice, and process payment. Specifically: practice name, contact email and phone, shipping address, provider first and last name, NPI number, state license number and license state, optional DEA number, and order details (formulation, size, packaging, quantity). For payment we collect what our payment processor requires; card details never touch our servers.

How we use it

We use provider identity data to verify against the National Provider Identifier (NPI) Registry maintained by CMS before any order ships. We use practice and shipping data to deliver compounded preparations to verified practice addresses. We use order details to compound the correct formulation and to enable auto-reorder. We use contact data to send order confirmations, shipping notifications, and operational communications. We do not sell provider or practice data to any third party. We do not use this data for marketing without an explicit opt-in.

Where the data lives

Order records, customer records, NPI verification attempts, and admin activity logs are stored in Cloudflare D1 — a managed SQLite database with encryption at rest and access control via Cloudflare Workers bindings. The website itself is served from Cloudflare Pages with HTTPS-only delivery. Admin tools at /admin/* are protected by Cloudflare Access (Zero Trust) — only authorized identities reach the admin interface; there is no app-level password.

Payment data

Payment card details are handled exclusively by our PCI-DSS compliant payment processor (iPOSPays / Dejavoo). Cards are entered on the processor's hosted payment page; we never see, store, or transmit raw card numbers. We retain only a tokenized reference and the transaction outcome.

Encryption

All traffic between your browser and our infrastructure is encrypted using TLS 1.3 with HSTS preload. Our security headers enforce HTTPS-only browsing for two years and protect against clickjacking, MIME sniffing, and content injection. Data at rest in Cloudflare D1 is encrypted by the platform. Backups inherit the same encryption posture.

Access control

Only authorized MediCaine pharmacy and operations staff have access to order data, and only through identity-verified Cloudflare Access sessions. We log every admin activity — sign-in, order view, order update — for audit traceability. Admin sessions cannot be cached or stored in browser history (Cache-Control: no-store). Failed NPI verifications are logged separately and retained for fraud monitoring.

Security headers

Every page response carries strict security headers: Strict-Transport-Security (2-year HSTS with preload), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, restrictive Permissions-Policy, Referrer-Policy, Cross-Origin-Opener-Policy, and a Content-Security-Policy restricting scripts, styles, fonts, images, and form actions to known origins. Admin routes carry stricter headers including Referrer-Policy: no-referrer and a tighter CSP.

SOC 2 posture

MediCaine is implementing controls aligned with the SOC 2 Trust Services Criteria across Security, Availability, Processing Integrity, Confidentiality, and Privacy. This page documents the controls currently in production. We do not currently hold a SOC 2 Type I or Type II report — that is a formal third-party audit process. We are honest about that: the controls are real, the certification is in progress. If you are an enterprise practice requiring documented evidence of specific controls before procurement, contact us at hello@medicainenumb.com.

Vulnerability disclosure

If you discover a security vulnerability, please report it to hello@medicainenumb.com with a description of the issue, steps to reproduce, and your contact details. We commit to acknowledging your report within two business days. Please do not publicly disclose the vulnerability until we have had reasonable time to address it. We do not currently run a paid bug bounty program but will publicly credit researchers who report substantive findings.

Provider obligations

Providers ordering MediCaine remain responsible for their own data handling in their practice — including patient records that may reference MediCaine use, prescription documentation, and any HIPAA-covered communications. MediCaine itself does not collect or store patient identifiers from provider practices; we only collect the provider-side ordering information needed to compound and ship.

Data retention

Order records and compounding logs are retained per state board of pharmacy requirements — typically a minimum of two years from the date of the last transaction. Payment records are retained per PCI-DSS guidance. NPI verification records are retained as part of the order record. We will delete or anonymize personal data on request to the extent that retention is not required by regulation. Contact hello@medicainenumb.com for data access or deletion requests.

Changes to this page

This page was last reviewed on 2026-06-03. Material changes to our security posture will be reflected here. For questions about a specific control, audit evidence, or our SOC 2 trajectory, contact us.