Bookings confirm from Consulta server state, not from browser-only return pages.
Security
Security and trust status
Consulta is built for practical trust: clients need to know where their booking, payment, calendar handoff, notification, and video access data goes. This page states what is live, what is protected by design, and what is still gated.
Clients use confirmation passes and Beam join links without exposing raw dashboard access.
WOP, SMTP, live payments, connected calendars, and regulated-use guarantees stay gated until proven.
Payments and card data
Consulta keeps payment creation and confirmation on the server. Browser redirects and return pages are treated as navigation only; a paid booking becomes confirmed only after trusted server-side payment status.
- Consulta does not collect or store card numbers.
- Payment provider tokens stay server-side in the API service.
- Simulator checkout remains separate from live payment-provider proof.
Client access and recovery
Booking recovery is intentionally narrow. Access-link lookups use the booking contact, failed lookups stay generic, and clients are routed back to the confirmation pass as the durable handoff.
- Confirmation passes avoid requiring a full password account for MVP clients.
- Booking-ID recovery remains a fallback when a client has the reservation reference.
- Private booking records, provider refs, and dashboard routes are not public discovery targets.
Video links
Beam join access is tokenized and product-agnostic. Consulta should not put consulting notes, payment data, or private booking fields into Beam room contracts.
- Pre-join checks keep camera, microphone, name, and device selection in the browser flow.
- Expired or invalid join links route to recovery instead of exposing room internals.
- Final real-device and 30-minute media proof remain acceptance gates.
Provider integrations
Notification delivery and payment links use adapters so WOP, SMTP, and Silvatech Payments credentials stay out of the web app. Live delivery remains gated until credentials and smoke proof exist.
- Secrets belong in the API runtime only, never in browser bundles.
- WhatsApp and email messages should point back to the same confirmation pass.
- Provider failures must not invent payment proof or expose private tokens.
Regulated-use boundary
Consulta is not claiming HIPAA, PHI handling, SOC 2, ISO certification, or healthcare readiness in this MVP. Telemedicine or regulated skins need their own policy, consent, provider, and compliance work.
- Do not enter regulated health information into generic booking notes.
- Legal/privacy copy still needs final human approval before broad launch.
- Connected calendar sync remains a later gate with its own access rules.