Zero Trust from check-in to close.
Every data path authenticated. Every action auditable. Every certificate verifiable.
ZETA — Zero Trust Architecture
Every request to aptiko passes through a ZETA-compliant gateway. Policy enforcement, identity verification, and authorization happen before any data is accessed.
Policy Enforcement
Every API request passes through a zero-dependency PEP with DPoP verification, JTI replay prevention, and OPA policy evaluation.
Identity Provider
17 Keycloak SPIs handle SM(C)-B authentication, device attestation, entity statements, and ZETA token exchange.
Policy Engine
OPA policies enforce role-based access, pharmacy-scoped data isolation, and audit logging for every operation.
brainpoolP256r1 — gematik-mandated cryptography
All TI 2.0 cryptographic operations use brainpoolP256r1 (BP-256) via node:crypto. ECDSA signatures use IEEE P1363 encoding (raw r||s, 64 bytes). No WebCrypto — it does not support brainpool curves.
BP-256
ECC curve
64 bytes
Signature size
0 deps
Security path
node:crypto
Implementation
DSGVO §203 StGB — Patient data protection
No PII leaves the system boundary. Hash-chained audit logs record every dispense, billing, and compliance event. Logs cannot be altered retroactively.
Hash-Chained Audit
Immutable event trail. Every action — dispense, billing, compliance — is cryptographically linked to the previous entry.
Pharmacy-Scoped Isolation
Data never crosses pharmacy boundaries. Row-level security ensures each pharmacy sees only its own records.
§203 StGB Protection
Professional secrecy obligations enforced at infrastructure level. Not a policy — a technical guarantee.
Compliance & Certifications
Continuous verification
840 automated tests. Every commit runs the full quality gate. Security regression tests verify cryptographic operations, authentication flows, and policy enforcement.
840
Automated tests
11
Test suites
0
Regressions
CI
On every commit