SThe Smile Grid

Trust & Security

Security Policy

Our technical and organisational security measures tenant isolation, authentication, audit logging, and incident response.

Effective April 30, 2026Version 1.0

Security Overview

Last Updated: 30 April 2026

1. Introduction

At The Smile Grid (“SmileGrid,” “we,” “us,” or “our”), security is a core part of how we design, build, deploy, and operate our platform.

This Security Overview describes the security principles, controls, and operational practices we apply to protect the SmileGrid platform, customer workspaces, and data processed through the Services.

This page is intended to provide a high-level description of SmileGrid’s security approach. It is not a guarantee that the Services are immune from all vulnerabilities, outages, or threats.

No internet-connected platform can be guaranteed to be completely secure. SmileGrid applies reasonable technical and organizational safeguards designed to reduce risk and strengthen resilience.

2. Scope

This Security Overview applies to:

  • The public SmileGrid website
  • The SmileGrid platform administration environment
  • Tenant workspaces and subdomain-based access
  • Platform authentication and access controls
  • Operational logging, monitoring, and incident handling
  • Security practices for infrastructure and application layers

Where customer organizations use SmileGrid to manage clinic or patient-related information, this Security Overview should be read together with the applicable customer agreement, Terms of Use, and Privacy Policy.

3. Security Principles

SmileGrid is designed around the following principles:

  • Least privilege access wherever practical
  • Tenant-aware isolation for shared-platform architecture
  • Role-based access control for platform and tenant users
  • Defense in depth across application, infrastructure, and operational layers
  • Secure defaults for authentication, access, and data handling
  • Auditability for security-sensitive actions
  • Operational resilience through monitoring, logging, and controlled deployment practices

4. Platform Architecture Security

SmileGrid is designed as a multi-tenant SaaS platform. The platform may use shared infrastructure while applying logical separation and access controls between customer environments.

Security architecture measures may include:

  • Tenant-aware request handling
  • Tenant and clinic scoping in application logic
  • Server-side access validation
  • Role and permission enforcement
  • Restricted object access checks
  • Controlled routing for public, tenant, and platform admin contexts

Where relevant, SmileGrid distinguishes between:

  • Public website access
  • Platform administrator access
  • Tenant workspace access
  • Clinic-scoped operational access

5. Access Control and Authentication

SmileGrid uses access controls intended to ensure users can only access the parts of the platform they are authorized to use.

Security practices may include:

  • Authenticated access for protected areas
  • Role-based permissions
  • Tenant-level access restrictions
  • Clinic-level access restrictions where applicable
  • Session and cookie protections
  • Login attempt controls and rate limiting on sensitive endpoints
  • Audit logging for important account and access events

Access to administrative functions may be restricted to authorized roles only.

Users are responsible for:

  • Protecting their login credentials
  • Using strong passwords where applicable
  • Preventing unauthorized use of their accounts
  • Promptly reporting suspected account compromise

6. Tenant and Clinic Isolation

SmileGrid is designed to apply logical isolation between customer environments.

This may include:

  • Tenant-aware routing and workspace resolution
  • Tenant-scoped data access rules
  • Clinic-level filtering and access enforcement
  • Server-side validation of resource ownership and scope
  • Protection against unauthorized cross-tenant and cross-clinic access

SmileGrid aims to prevent users from accessing records outside their authorized tenant and clinic scope.

7. Data Protection Measures

SmileGrid uses technical and organizational measures designed to help protect data processed through the platform.

These may include:

  • Access restrictions based on role and scope
  • Application-level validation and authorization
  • Secure transmission practices
  • Protected storage paths for uploaded assets where applicable
  • Controlled response shaping to reduce unnecessary data exposure
  • Operational safeguards around logs, audit trails, and error handling

SmileGrid seeks to minimize unnecessary exposure of sensitive data in APIs, dashboards, logs, and user interfaces.

8. Application Security Practices

SmileGrid follows secure development and hardening practices designed to reduce common application security risks.

These practices may include:

  • Input validation at API boundaries
  • Explicit allowlisting of accepted fields for create/update operations
  • Server-derived tenant and clinic context
  • Authorization checks on protected operations
  • Protections against insecure direct object access
  • Upload validation for permitted file types and sizes
  • Safe handling of platform and tenant administration actions
  • Reduction of verbose error exposure in production

Security reviews and remediation may be performed periodically as the product evolves.

9. Infrastructure and Hosting Security

SmileGrid may be deployed using cloud-hosted infrastructure and managed services.

Infrastructure-level protections may include:

  • Controlled server and database access
  • Reverse proxy and HTTPS configuration
  • Environment-based secret management practices
  • Restricted public exposure of internal application ports
  • Logging and monitoring support
  • Backup and recovery readiness
  • Operational controls for production deployment

Where relevant, infrastructure components may include web servers, application processes, managed databases, and supporting storage services.

10. File Upload and Asset Security

Where SmileGrid supports file or asset uploads, SmileGrid applies validation and handling controls intended to reduce misuse.

These controls may include:

  • Allowed file type restrictions
  • File size limits
  • Safe file naming
  • Restricted serving paths
  • Authenticated access for protected assets where required
  • Rejection logging for invalid or suspicious upload attempts

SmileGrid may refuse or discard files that do not meet permitted validation requirements.

11. Logging, Monitoring, and Auditability

SmileGrid maintains logs and audit records intended to support platform security, troubleshooting, and operational accountability.

Depending on the feature and deployment, SmileGrid may record events such as:

  • Successful and failed login attempts
  • Logout events
  • Admin and user management changes
  • Branding or settings changes
  • Contract and provisioning actions
  • Patient and visit workflow changes where appropriate
  • Upload acceptance or rejection events
  • Security-sensitive permission or status changes

Logs and audit records are intended to support operational review, incident response, and accountability, while seeking to avoid unnecessary exposure of sensitive payload data.

12. Incident Response

SmileGrid aims to investigate and respond to suspected security events in a timely and structured manner.

Incident response activities may include:

  • Initial review and triage
  • Containment and mitigation
  • Root cause investigation
  • Recovery and service restoration
  • Internal tracking and corrective action
  • Customer or stakeholder communication where appropriate
  • Legal or regulatory escalation where required

Where applicable, security incidents may be handled in accordance with legal or regulatory obligations, including applicable cyber incident reporting requirements.

Incident response timelines may vary depending on the severity, scope, and nature of the event.

13. Availability and Resilience

SmileGrid is designed with operational continuity in mind, but no service can guarantee uninterrupted availability at all times.

Operational resilience measures may include:

  • Controlled deployment practices
  • Restart and recovery processes
  • Backup readiness
  • Monitoring of application and infrastructure behavior
  • Log-based troubleshooting support
  • Maintenance procedures and security patching where practical

Planned maintenance, infrastructure events, third-party outages, or security events may affect service availability.

14. Customer Responsibilities

Security is a shared responsibility. Customer organizations and users are expected to support secure use of the platform.

Customer responsibilities include:

  • Assigning access only to authorized personnel
  • Reviewing user roles and permissions regularly
  • Managing clinic assignments carefully
  • Protecting credentials and authentication methods
  • Providing lawful and appropriate data to the platform
  • Reporting suspected misuse, compromise, or suspicious activity promptly
  • Maintaining their own internal privacy, consent, and operational controls where required

Customer organizations remain responsible for their own legal and professional obligations in relation to data they submit to the platform.

15. Security Limitations

While SmileGrid applies reasonable safeguards, the platform cannot guarantee:

  • That the Services will be uninterrupted at all times
  • That every threat, exploit, or unauthorized attempt will be prevented
  • That third-party infrastructure or dependencies will never fail
  • That customer-side misuse, weak credential practices, or unauthorized sharing will not create risk
  • That all vulnerabilities can be identified before exploitation

For this reason, SmileGrid treats security as an ongoing process of improvement rather than a one-time control exercise.

16. Reporting Security Concerns

If you believe you have identified a security issue or vulnerability related to SmileGrid, please contact us through the designated security or support channel.

Please include, where possible:

  • A clear description of the issue
  • The affected page, module, or endpoint
  • Steps to reproduce the issue
  • Relevant screenshots or logs, if available
  • Your contact information for follow-up

We request that suspected vulnerabilities be reported responsibly and not exploited, publicly disclosed, or used to access data without authorization.

17. Changes to This Security Overview

We may update this Security Overview from time to time to reflect changes in the platform, infrastructure, operations, or security practices.

Where we make updates, we will revise the effective date and publish the updated version.

18. Contact

For security-related questions or reports, please contact:

The Smile Grid [Legal Entity Name] [Registered Address] Email: [security@thesmilegrid.com] Phone: [●]

For privacy-related concerns, please refer to the Privacy Policy or Grievance page.

Questions about this policy? Contact us at our contact page or write to legal@thesmilegrid.com.