Security — DC-Air Watchdog

Security at DC-Air Watchdog

Last updated: April 25, 2026

Summary

DC-Air Watchdog is built with privacy and security as defaults. We monitor wireless intraoral sensors using read-only access to existing log files and do not store, transmit, or process any patient health information (PHI). Every practice is fully isolated from every other practice at the database layer. All connections are encrypted in transit. Bearer tokens and user passwords are never stored in plaintext.

Latest scan results

Captured 2026-04-25. Click any thumbnail for the full page. Or run a live re-scan via the link below each card.

Qualys SSL Labs

TLS configuration grade

Run live re-scan →

securityheaders.com

HTTP response header policy

Run live re-scan →

Mozilla Observatory

Combined web security tests

Run live re-scan →

HSTS Preload

Submitted to Chromium browser source list

Check live status →

What we collect (and what we don't)

We collect	We do not collect
Sensor serial numbers (e.g. `S0001993`)	Patient names or any PHI
Docking-station serial numbers	Dental images or X-ray pixel data
Operatory PC name (e.g. `OP1-DESKTOP`)	Patient appointment data, schedules, or notes
Event timestamps (dock, undock, image-captured, BT)	Insurance, billing, or payment data
Sensor health (battery %, signal dB, temperature)	Browsing history or other behavioral telemetry
Image quality stats (median energy of each X-ray)	Practice financial records (beyond the per-X-ray price you optionally enter)

The agent on each operatory PC reads the existing Athlos SDK log file, filters out everything except the events listed above, and discards the rest before transmitting.

How we protect your data

Encryption in transit

100% HTTPS. TLS provided by Let's Encrypt, auto-renewed. HTTP requests redirect to HTTPS. HSTS is enforced with a 2-year max-age and the domain has been submitted to the Chromium HSTS preload list, hardcoding HTTPS-only into Chrome, Firefox, Safari, and Edge for every visitor — even on first visit.

Per-practice isolation

Every event, alert, and user is scoped to a practice_id at the database layer. There is no path by which one practice can see another's data. Verified at every query.

Hashed credentials

User passwords are stored as bcrypt hashes (cost 12). Operatory bearer tokens are stored as SHA-256 hashes — the plaintext token is never persisted on the server after install.

Sensible browser defaults

Strict Content-Security-Policy, X-Frame-Options DENY (no clickjacking), Referrer-Policy strict-origin, Permissions-Policy disabling browser APIs we don't use (camera, mic, geolocation, etc.), and SameSite=Lax cookies.

CSRF protection

All state-changing endpoints require a per-session CSRF token. SameSite=Lax cookies provide additional protection against cross-site form submission.

Two-factor authentication (TOTP)

Every admin account can enable 6-digit one-time-password 2FA via any standard authenticator app (Google Authenticator, 1Password, Authy, Microsoft Authenticator, Bitwarden). Enable from Settings → Manage 2FA.

Login rate limiting + account lockout

Login attempts are rate-limited at the proxy layer. After 5 failed sign-in attempts within 15 minutes, the account is automatically locked for 30 minutes — applies to wrong passwords and wrong 2FA codes.

Audit log

Every administrative action — sign-in, sign-out, operatory created or revoked, settings changed, alerts modified, 2FA enrolled or disabled — is recorded with the actor's username, IP address, target, and timestamp. Practice admins view their log at Audit log in the sidebar.

One-time install codes

Operatory installs use 12-character codes that are single-use and expire 24 hours after creation. Admins can revoke any operatory's bearer token from the dashboard at any time.

Read-only integration

The agent only reads the Athlos SDK log file — it does not hook SDK APIs, modify the TWAIN process, or change Windows driver state. Removing the agent leaves no trace in the imaging pipeline.

Hosting

DC-Air Watchdog runs on Amazon Web Services in US East (Ohio). The application server runs FastAPI on Amazon Linux 2023 behind nginx. Persistent data lives in PostgreSQL 16. SSH access is restricted to a private key held only by DentalTI; the security group permits only ports 22, 80, and 443 from the public internet.

Reporting a security issue

If you believe you've found a security issue, please email david@dentalti.com with details. We will acknowledge receipt within 2 business days and work with you to verify and address the issue. We do not currently run a paid bug bounty program, but we publicly thank researchers who report valid issues responsibly.

See also our machine-readable security contact at /.well-known/security.txt.

Roadmap

In flight or planned:

Code-signed Windows installer (signing certificate ordered)
Encrypted off-site backups in a separate AWS account
Third-party penetration test (planned for Q3 2026)
SOC 2 Type 1 (planned for Q4 2026, depending on customer demand)
Business Associate Agreement (BAA) availability for practices that request one