Encryption & Data Protection
What's encrypted, how, and why — protecting patient data at every level.
Encryption in Transit
All data moving between users and the platform is encrypted using TLS (HTTPS). This includes:
- Browser to application (patient portal, clinic app)
- Application to database
- Application to external services (Clerk, Daily.co, AWS S3)
No unencrypted connections are accepted.
Encryption at Rest
Patient data is encrypted when stored, at two levels:
Infrastructure encryption
The database (AWS RDS PostgreSQL) encrypts all stored data using AES-256. This protects against physical access to the storage hardware — if someone obtained the hard drive, the data would be unreadable.
Application-level encryption
The most sensitive fields receive an additional layer of encryption applied by the application itself, before the data reaches the database:
| Field | Why Extra Encryption |
|---|---|
| Patient phone numbers | Direct patient contact information |
| API keys | Credentials that grant system access |
Application-level encryption means that even someone with direct database access (a database administrator, for instance) cannot read these fields without the application's encryption keys.
How keys are managed
- Encryption keys are stored in AWS Key Management Service (KMS) — a dedicated, audited key storage system
- Keys are never stored in the application code, configuration files, or environment variables
- Key access is logged — every encryption and decryption operation is recorded
- Keys are rotated periodically — old keys are retained for decrypting existing data while new data uses updated keys
What Is NOT Encrypted at the Application Level
Most patient data (names, dates of birth, medical history, form responses) relies on infrastructure encryption only. This is a deliberate trade-off:
- Infrastructure encryption protects against physical access and database-level breaches
- Application-level encryption adds significant complexity to querying and indexing
- Fields that need to be searchable or sortable cannot be application-encrypted without specialized techniques
The fields chosen for application-level encryption are those that are both highly sensitive and rarely queried directly.
Data Protection Beyond Encryption
| Measure | What It Does |
|---|---|
| Row-Level Security | Prevents cross-clinic data access at the database level |
| Audit logging | Records who accessed what data and when |
| Signed forms immutability | Prevents tampering with signed consent and clinical documents |
| PII masking in logs | Passwords, tokens, and API keys are never written to logs |
| Pseudonymized analytics | Analytics data uses hashed identifiers — no direct patient identifiers in the analytics database |
For developers
Technical details — encryption algorithms, key rotation procedures, KMS configuration, and field-level encryption implementation — are available in the Encryption and Key Rotation reference.