Compliance

Control frameworks and checkpoints (wire to your policies and audits).

HIPAA-oriented controls

Map each control to owners and evidence stored under Documents.

Protect PHI: use least-privilege RBAC, audit logs, and signed URLs for files in Supabase Storage (add in a follow-up).