StraightFiles

Security & Architecture

Last updated: 2026-06-07

Overview

This application is a client-first medical imaging management tool designed for orthodontic workflows. It enables secure handling of clinical images stored locally in the browser or in third-party cloud storage systems such as Microsoft OneDrive.

The system is built with a strong privacy-by-design and minimal data exposure architecture.

1. Architecture Principles

The application follows these core principles:

  • Client-first execution (most operations run in the browser)
  • No centralized file storage
  • No user-owned medical data stored on servers
  • Bring-your-own-storage (BYOS) model
  • Minimal transient backend processing only when required

2. Data Flow Model

Local Files

  • Stored exclusively in the user's browser (IndexedDB / local storage)
  • Never transmitted to any backend server unless explicitly exported

Cloud Files (Microsoft OneDrive)

  • Files remain in the user's OneDrive account
  • Access is performed via Microsoft Graph API
  • Our system acts as a secure relay for API requests

3. Backend Role

The backend is strictly limited to:

  • Relaying API requests to Microsoft Graph
  • Processing directory and file metadata temporarily in memory
  • Executing user actions (list, rename, delete, move)

The backend does NOT:

  • Store files
  • Store file metadata permanently
  • Store logs containing patient data
  • Maintain databases of any user content

All data is discarded immediately after request execution.

4. Security Model

We implement the following security measures:

  • OAuth-based authentication via Microsoft Azure
  • Short-lived access tokens (no persistent token storage on servers)
  • TLS encryption for all communications
  • Stateless backend architecture
  • No persistent session storage of user data

5. Medical Data Handling

This application may process filenames and folder structures that contain medical or patient-related identifiers (e.g. patient names).

These values:

  • Are only processed transiently
  • Are never stored in databases
  • Are not used for analytics or profiling

6. Third-Party Infrastructure

We rely on Microsoft services for cloud storage integration:

  • Microsoft OneDrive
  • Microsoft Graph API
  • Azure Active Directory (authentication)

These services operate under their own security and compliance frameworks.

Microsoft Privacy Statement: https://privacy.microsoft.com

7. Compliance Approach

The system is designed to support GDPR principles:

  • Data minimization
  • Storage limitation (no backend storage)
  • Purpose limitation (only file management operations)
  • Privacy by design and by default

8. Contact

For security or privacy inquiries, please contact us via the application settings.