PeptidePal is built from the ground up to protect Protected Health Information (PHI). Every layer of our architecture — from database to browser — enforces HIPAA safeguards so your clinic can focus on patient care.
Download Security Whitepaper (PDF)A high-level overview of how PeptidePal safeguards your clinic's data at every layer.
All Protected Health Information is encrypted both at rest and in transit. There are no scenarios in which PHI traverses an unencrypted channel.
| Layer | Standard | Details |
|---|---|---|
| Database (at rest) | AES-256 / KMS | Amazon RDS PostgreSQL with storage encryption via AWS KMS customer-managed keys (CMKs). All table data, indexes, WAL logs, and automated snapshots are encrypted. |
| File storage (at rest) | SSE-KMS | Patient documents, lab results, and consent forms stored in Amazon S3 with server-side encryption using KMS-managed keys. Bucket policies enforce encryption on all uploads. |
| Data in transit | TLS 1.2+ | All connections between clients, CloudFront, ECS services, and RDS enforce TLS 1.2 or higher. HSTS headers prevent protocol downgrade attacks. |
| API payloads | HTTPS only | All API endpoints reject plaintext HTTP via CloudFront and ALB listener rules. Certificate pinning enforced in the mobile application. |
| Backups | AES-256 / KMS | Automated RDS snapshots encrypted with KMS and retained per policy. Cross-region snapshot copies for disaster recovery. |
PeptidePal enforces a four-role permission model. Every API request is authorized against the caller's role and clinic membership before any data is returned.
| Role | Scope | Capabilities |
|---|---|---|
| Owner | Full clinic + billing | All permissions. Manage team members, billing, clinic settings, and organization structure. Only role that can delete a clinic or transfer ownership. |
| Admin | Full clinic (no billing) | Manage patients, protocols, appointments, team invites, and clinic settings. Cannot access billing or delete the clinic. |
| Provider | Assigned patients | View and manage assigned patients, create treatment plans, send messages, review lab results, and manage appointments. |
| Staff | Read-only + limited actions | View patient lists, check appointment schedules, manage intake forms. Cannot modify treatment plans or access clinical notes. |
Permissions are checked server-side on every request. The frontend hides unauthorized UI elements, but the enforcement boundary is always at the API layer — even if a client is modified, unauthorized requests are rejected with a 403 response.
Row-Level Security is the most critical layer of our data protection architecture. RLS policies are enforced at the database level — below the application code — ensuring that even a compromised API endpoint cannot return unauthorized data.
| Table | Policy | Enforcement |
|---|---|---|
| patients | Clinic membership required | Users can only query patients linked to clinics where they hold an active membership. |
| patient_provider_links | Provider + clinic scoped | Providers see only their own patient assignments. Admins/Owners see all links within their clinic. |
| messages | Link-scoped access | Messages are scoped to the patient-provider link. Only the assigned provider, the patient, and clinic admins can read a conversation. |
| lab_results | Clinic + patient scoped | Lab results are visible only to providers with an active link to the patient and membership in the clinic. |
| consent_forms | Clinic-scoped | Consent form templates are scoped to the clinic. Signed forms are additionally scoped to the specific patient. |
| audit_logs | Admin/Owner only | Audit logs are read-only and accessible only to clinic Owners and Admins. No user can modify or delete audit entries. |
RLS policies use the authenticated user's JWT claims (user ID, role) combined with clinic membership lookups. This means a provider at Clinic A cannot query any data belonging to Clinic B — the database itself rejects the query before results are assembled.
Every access to Protected Health Information generates an immutable audit record. These logs cannot be modified or deleted by any user, including system administrators.
| Field | Description |
|---|---|
| actor_id | UUID of the authenticated user performing the action |
| actor_role | Role at the time of action (owner, admin, provider, staff) |
| action | Operation performed (view, create, update, delete, export, download) |
| resource_type | Type of resource accessed (patient, lab_result, message, consent_form, etc.) |
| resource_id | UUID of the specific resource |
| clinic_id | Clinic context in which the action occurred |
| ip_address | Client IP address (for access anomaly detection) |
| user_agent | Client application identifier |
| timestamp | ISO 8601 timestamp with timezone (server clock, not client-supplied) |
| metadata | Additional context (e.g., fields changed, export format, search query) |
Application-level audit logs are stored in an append-only RDS table with database triggers that prevent UPDATE and DELETE operations. Infrastructure-level audit logs are captured by AWS CloudTrail with log file integrity validation. All logs are retained for 90 days in hot storage (CloudWatch Logs), then archived to S3 Glacier with Object Lock for 6 years per HIPAA retention requirements.
Amazon GuardDuty and CloudWatch Alarms provide automated monitoring for anomalous patterns including: bulk data exports, after-hours access, access from unfamiliar IP ranges, rapid successive queries across multiple patients, and unauthorized API calls at the infrastructure level.
PeptidePal runs entirely on HIPAA-eligible AWS services covered by a signed AWS Business Associate Agreement (BAA). The architecture follows defense-in-depth principles with multiple layers of isolation, monitoring, and automated threat response.
| Service | Purpose | Security Features |
|---|---|---|
| Amazon RDS (PostgreSQL) | Primary database | Multi-AZ deployment with automated failover, AES-256 encrypted storage and snapshots, IAM database authentication, automated backups with point-in-time recovery, RLS enforcement at the database layer |
| Amazon ECS (Fargate) | Application compute | Serverless containers with no SSH access surface, task-level IAM roles scoped to least privilege, VPC-isolated with private subnets, automatic patching of underlying infrastructure |
| Amazon Cognito | Authentication | HIPAA-eligible identity provider, MFA support (TOTP and SMS), advanced security features including adaptive authentication and compromised credential detection, user pool encryption with AWS KMS |
| Amazon S3 | Document & file storage | SSE-KMS encryption with customer-managed keys, bucket policies enforcing encryption and denying public access, versioning enabled for data integrity, S3 access logging for audit trail |
| Amazon CloudFront | Content delivery | TLS 1.2+ enforcement, DDoS protection via AWS Shield Standard, edge caching for static assets only (no PHI cached at the CDN layer), custom error pages |
| Stripe | Payment processing | PCI DSS Level 1 certified, no card data touches PeptidePal infrastructure, tokenized payment methods |
| Amazon SES | Transactional email | TLS-encrypted delivery, no PHI in email bodies — notifications contain links, not clinical data |
| Service | Purpose | HIPAA Feature |
|---|---|---|
| AWS KMS | Key management | Customer-managed encryption keys (CMKs) for all data at rest, automatic annual key rotation, full usage auditing via CloudTrail |
| AWS CloudTrail | API audit logging | Every AWS API call logged with tamper-evident log file integrity validation, multi-region trail for complete coverage, integrated with CloudWatch for real-time alerting |
| Amazon GuardDuty | Threat detection | ML-based anomaly detection across VPC flow logs, DNS logs, and CloudTrail events, automated findings published to Security Hub for centralized response |
| AWS WAF | Web application firewall | OWASP Top 10 rule set, rate limiting per IP and per path, IP reputation filtering, custom rules for API abuse patterns |
| AWS Config | Configuration compliance | Continuous monitoring of resource configurations against HIPAA conformance packs, automatic remediation rules for drift detection |
| AWS Shield Standard | DDoS protection | Always-on network-level DDoS mitigation for all internet-facing resources, automatic detection and inline mitigation |
| VPC & Security Groups | Network isolation | Private subnets for database and compute, NACLs and security groups enforcing least-privilege network access, VPC Flow Logs for network forensics |
| AWS BAA | Compliance | Signed Business Associate Agreement covering all HIPAA-eligible services deployed in the architecture |
PeptidePal uses multiple layers of authentication security to protect provider accounts.
| Feature | Implementation |
|---|---|
| Identity provider | Amazon Cognito (HIPAA-eligible) with adaptive authentication and compromised credential detection |
| Password hashing | SRP protocol with bcrypt-based server-side verification (configurable work factor) |
| Multi-factor authentication | TOTP-based MFA with optional SMS verification for high-risk actions |
| Session tokens | JWT with short expiration (1 hour), refresh token rotation via Cognito token endpoint |
| Session timeout | Configurable auto-lock (default 15 minutes of inactivity) with biometric re-authentication on mobile |
| Magic link authentication | Time-limited, single-use authentication links for patient onboarding |
| CSRF protection | SameSite cookie attributes, origin verification on state-changing requests |
| Rate limiting | AWS WAF rate-limiting rules per IP and per account to prevent brute force attacks |
| Secure headers | HSTS, X-Content-Type-Options, X-Frame-Options, CSP headers enforced at CloudFront edge |
PeptidePal follows the HIPAA minimum necessary standard — we collect, process, and retain only the data required to deliver the service.
| Data Type | Retention Period | Disposal Method |
|---|---|---|
| Patient records (PHI) | Duration of provider relationship + 6 years | AWS KMS key deletion (cryptographic erasure) followed by RDS record purge |
| Audit logs | 6 years minimum | CloudWatch Logs archived to S3 Glacier after 90 days with lifecycle policies |
| CloudTrail logs | 6 years minimum | Immutable log files in dedicated S3 bucket with Object Lock (WORM compliance) |
| Session logs | 90 days | Automatic deletion via S3 lifecycle policy after retention period |
| Payment records | Per Stripe retention policy | Managed by Stripe (PCI DSS Level 1); no card data stored on PeptidePal infrastructure |
| Backups | 30-day rolling window | Encrypted RDS snapshots older than 30 days are automatically destroyed via retention policy |
| Account data | Duration of account + 30 days | Full deletion upon account closure request, confirmed by support |
Providers can export all patient data at any time using the built-in data export feature (available on Multi-location and Enterprise plans). Data exports are generated server-side, encrypted, and delivered via a time-limited signed URL.
PeptidePal maintains a documented incident response plan aligned with HIPAA breach notification requirements.
Detection & Containment (0–1 hour)
GuardDuty and CloudWatch alarms detect anomalies. Affected ECS tasks and security groups are automatically isolated. Investigation begins immediately with CloudTrail forensics.
Assessment & Notification (1–24 hours)
Determine scope and nature of the incident. Affected covered entities notified within 24 hours of confirmed breach involving PHI.
Remediation (24–72 hours)
Root cause analysis completed. Vulnerabilities patched. Additional safeguards implemented to prevent recurrence.
Regulatory Reporting (as required)
If the breach involves 500+ individuals, HHS is notified within 60 days per HIPAA Breach Notification Rule. All incidents documented in the incident register.
Contact security@peptidepal.app to report a security concern or request our full incident response policy.
PeptidePal operates as a Business Associate under HIPAA. We execute Business Associate Agreements (BAAs) with every covered entity that uses our platform.
To request a BAA or discuss compliance requirements for your organization, contact us at compliance@peptidepal.app.
We're happy to discuss our security architecture, provide additional documentation, or schedule a call with your compliance team.