HIPAA-Hardened Platform

Security & Compliance

PeptidePal is built from the ground up to protect Protected Health Information (PHI). Every layer of our architecture — from database to browser — enforces HIPAA safeguards so your clinic can focus on patient care.

Download Security Whitepaper (PDF)

Six Pillars of Protection

A high-level overview of how PeptidePal safeguards your clinic's data at every layer.

Encryption Everywhere

  • AES-256 encryption at rest for all databases and storage
  • TLS 1.2+ for all data in transit — no exceptions
  • Stripe-managed PCI-compliant payment data (never stored on our servers)

Access Control

  • Row-Level Security (RLS) on every table containing PHI
  • Role-based permissions: Owner, Admin, Provider, Staff
  • JWT-authenticated API with per-request authorization

Audit Logging

  • Immutable, append-only audit trail for every PHI access
  • Logs include actor, action, resource, timestamp, and IP
  • 90-day retention with archival to encrypted cold storage

Infrastructure

  • HIPAA-eligible AWS services with signed BAA
  • Multi-AZ RDS PostgreSQL with automated failover and encrypted snapshots
  • AWS WAF, GuardDuty, and CloudTrail for defense-in-depth

HIPAA Compliance

  • Business Associate Agreement (BAA) executed with infrastructure providers
  • Administrative, physical, and technical safeguards per HIPAA Security Rule
  • Annual risk assessments and security policy reviews

Organizational Controls

  • Minimum necessary access principle enforced system-wide
  • Incident response plan with 24-hour breach notification
  • All team members trained on HIPAA requirements
01

Encryption

All Protected Health Information is encrypted both at rest and in transit. There are no scenarios in which PHI traverses an unencrypted channel.

LayerStandardDetails
Database (at rest)AES-256 / KMSAmazon RDS PostgreSQL with storage encryption via AWS KMS customer-managed keys (CMKs). All table data, indexes, WAL logs, and automated snapshots are encrypted.
File storage (at rest)SSE-KMSPatient documents, lab results, and consent forms stored in Amazon S3 with server-side encryption using KMS-managed keys. Bucket policies enforce encryption on all uploads.
Data in transitTLS 1.2+All connections between clients, CloudFront, ECS services, and RDS enforce TLS 1.2 or higher. HSTS headers prevent protocol downgrade attacks.
API payloadsHTTPS onlyAll API endpoints reject plaintext HTTP via CloudFront and ALB listener rules. Certificate pinning enforced in the mobile application.
BackupsAES-256 / KMSAutomated RDS snapshots encrypted with KMS and retained per policy. Cross-region snapshot copies for disaster recovery.
02

Role-Based Access Control (RBAC)

PeptidePal enforces a four-role permission model. Every API request is authorized against the caller's role and clinic membership before any data is returned.

RoleScopeCapabilities
OwnerFull clinic + billingAll permissions. Manage team members, billing, clinic settings, and organization structure. Only role that can delete a clinic or transfer ownership.
AdminFull clinic (no billing)Manage patients, protocols, appointments, team invites, and clinic settings. Cannot access billing or delete the clinic.
ProviderAssigned patientsView and manage assigned patients, create treatment plans, send messages, review lab results, and manage appointments.
StaffRead-only + limited actionsView patient lists, check appointment schedules, manage intake forms. Cannot modify treatment plans or access clinical notes.

Permissions are checked server-side on every request. The frontend hides unauthorized UI elements, but the enforcement boundary is always at the API layer — even if a client is modified, unauthorized requests are rejected with a 403 response.

03

Row-Level Security (RLS)

Row-Level Security is the most critical layer of our data protection architecture. RLS policies are enforced at the database level — below the application code — ensuring that even a compromised API endpoint cannot return unauthorized data.

TablePolicyEnforcement
patientsClinic membership requiredUsers can only query patients linked to clinics where they hold an active membership.
patient_provider_linksProvider + clinic scopedProviders see only their own patient assignments. Admins/Owners see all links within their clinic.
messagesLink-scoped accessMessages are scoped to the patient-provider link. Only the assigned provider, the patient, and clinic admins can read a conversation.
lab_resultsClinic + patient scopedLab results are visible only to providers with an active link to the patient and membership in the clinic.
consent_formsClinic-scopedConsent form templates are scoped to the clinic. Signed forms are additionally scoped to the specific patient.
audit_logsAdmin/Owner onlyAudit logs are read-only and accessible only to clinic Owners and Admins. No user can modify or delete audit entries.

RLS policies use the authenticated user's JWT claims (user ID, role) combined with clinic membership lookups. This means a provider at Clinic A cannot query any data belonging to Clinic B — the database itself rejects the query before results are assembled.

04

Audit Logging & Monitoring

Every access to Protected Health Information generates an immutable audit record. These logs cannot be modified or deleted by any user, including system administrators.

FieldDescription
actor_idUUID of the authenticated user performing the action
actor_roleRole at the time of action (owner, admin, provider, staff)
actionOperation performed (view, create, update, delete, export, download)
resource_typeType of resource accessed (patient, lab_result, message, consent_form, etc.)
resource_idUUID of the specific resource
clinic_idClinic context in which the action occurred
ip_addressClient IP address (for access anomaly detection)
user_agentClient application identifier
timestampISO 8601 timestamp with timezone (server clock, not client-supplied)
metadataAdditional context (e.g., fields changed, export format, search query)

Application-level audit logs are stored in an append-only RDS table with database triggers that prevent UPDATE and DELETE operations. Infrastructure-level audit logs are captured by AWS CloudTrail with log file integrity validation. All logs are retained for 90 days in hot storage (CloudWatch Logs), then archived to S3 Glacier with Object Lock for 6 years per HIPAA retention requirements.

Amazon GuardDuty and CloudWatch Alarms provide automated monitoring for anomalous patterns including: bulk data exports, after-hours access, access from unfamiliar IP ranges, rapid successive queries across multiple patients, and unauthorized API calls at the infrastructure level.

05

Infrastructure Security

PeptidePal runs entirely on HIPAA-eligible AWS services covered by a signed AWS Business Associate Agreement (BAA). The architecture follows defense-in-depth principles with multiple layers of isolation, monitoring, and automated threat response.

Core Infrastructure

ServicePurposeSecurity Features
Amazon RDS (PostgreSQL)Primary databaseMulti-AZ deployment with automated failover, AES-256 encrypted storage and snapshots, IAM database authentication, automated backups with point-in-time recovery, RLS enforcement at the database layer
Amazon ECS (Fargate)Application computeServerless containers with no SSH access surface, task-level IAM roles scoped to least privilege, VPC-isolated with private subnets, automatic patching of underlying infrastructure
Amazon CognitoAuthenticationHIPAA-eligible identity provider, MFA support (TOTP and SMS), advanced security features including adaptive authentication and compromised credential detection, user pool encryption with AWS KMS
Amazon S3Document & file storageSSE-KMS encryption with customer-managed keys, bucket policies enforcing encryption and denying public access, versioning enabled for data integrity, S3 access logging for audit trail
Amazon CloudFrontContent deliveryTLS 1.2+ enforcement, DDoS protection via AWS Shield Standard, edge caching for static assets only (no PHI cached at the CDN layer), custom error pages
StripePayment processingPCI DSS Level 1 certified, no card data touches PeptidePal infrastructure, tokenized payment methods
Amazon SESTransactional emailTLS-encrypted delivery, no PHI in email bodies — notifications contain links, not clinical data

Security & Compliance Services

ServicePurposeHIPAA Feature
AWS KMSKey managementCustomer-managed encryption keys (CMKs) for all data at rest, automatic annual key rotation, full usage auditing via CloudTrail
AWS CloudTrailAPI audit loggingEvery AWS API call logged with tamper-evident log file integrity validation, multi-region trail for complete coverage, integrated with CloudWatch for real-time alerting
Amazon GuardDutyThreat detectionML-based anomaly detection across VPC flow logs, DNS logs, and CloudTrail events, automated findings published to Security Hub for centralized response
AWS WAFWeb application firewallOWASP Top 10 rule set, rate limiting per IP and per path, IP reputation filtering, custom rules for API abuse patterns
AWS ConfigConfiguration complianceContinuous monitoring of resource configurations against HIPAA conformance packs, automatic remediation rules for drift detection
AWS Shield StandardDDoS protectionAlways-on network-level DDoS mitigation for all internet-facing resources, automatic detection and inline mitigation
VPC & Security GroupsNetwork isolationPrivate subnets for database and compute, NACLs and security groups enforcing least-privilege network access, VPC Flow Logs for network forensics
AWS BAAComplianceSigned Business Associate Agreement covering all HIPAA-eligible services deployed in the architecture
06

Authentication & Session Security

PeptidePal uses multiple layers of authentication security to protect provider accounts.

FeatureImplementation
Identity providerAmazon Cognito (HIPAA-eligible) with adaptive authentication and compromised credential detection
Password hashingSRP protocol with bcrypt-based server-side verification (configurable work factor)
Multi-factor authenticationTOTP-based MFA with optional SMS verification for high-risk actions
Session tokensJWT with short expiration (1 hour), refresh token rotation via Cognito token endpoint
Session timeoutConfigurable auto-lock (default 15 minutes of inactivity) with biometric re-authentication on mobile
Magic link authenticationTime-limited, single-use authentication links for patient onboarding
CSRF protectionSameSite cookie attributes, origin verification on state-changing requests
Rate limitingAWS WAF rate-limiting rules per IP and per account to prevent brute force attacks
Secure headersHSTS, X-Content-Type-Options, X-Frame-Options, CSP headers enforced at CloudFront edge
07

Data Handling & Retention

PeptidePal follows the HIPAA minimum necessary standard — we collect, process, and retain only the data required to deliver the service.

Data TypeRetention PeriodDisposal Method
Patient records (PHI)Duration of provider relationship + 6 yearsAWS KMS key deletion (cryptographic erasure) followed by RDS record purge
Audit logs6 years minimumCloudWatch Logs archived to S3 Glacier after 90 days with lifecycle policies
CloudTrail logs6 years minimumImmutable log files in dedicated S3 bucket with Object Lock (WORM compliance)
Session logs90 daysAutomatic deletion via S3 lifecycle policy after retention period
Payment recordsPer Stripe retention policyManaged by Stripe (PCI DSS Level 1); no card data stored on PeptidePal infrastructure
Backups30-day rolling windowEncrypted RDS snapshots older than 30 days are automatically destroyed via retention policy
Account dataDuration of account + 30 daysFull deletion upon account closure request, confirmed by support

Providers can export all patient data at any time using the built-in data export feature (available on Multi-location and Enterprise plans). Data exports are generated server-side, encrypted, and delivered via a time-limited signed URL.

08

Incident Response

PeptidePal maintains a documented incident response plan aligned with HIPAA breach notification requirements.

1

Detection & Containment (0–1 hour)

GuardDuty and CloudWatch alarms detect anomalies. Affected ECS tasks and security groups are automatically isolated. Investigation begins immediately with CloudTrail forensics.

2

Assessment & Notification (1–24 hours)

Determine scope and nature of the incident. Affected covered entities notified within 24 hours of confirmed breach involving PHI.

3

Remediation (24–72 hours)

Root cause analysis completed. Vulnerabilities patched. Additional safeguards implemented to prevent recurrence.

4

Regulatory Reporting (as required)

If the breach involves 500+ individuals, HHS is notified within 60 days per HIPAA Breach Notification Rule. All incidents documented in the incident register.

Contact security@peptidepal.app to report a security concern or request our full incident response policy.

09

Business Associate Agreement & Compliance

PeptidePal operates as a Business Associate under HIPAA. We execute Business Associate Agreements (BAAs) with every covered entity that uses our platform.

Our BAA Covers:

  • Permitted uses and disclosures of PHI aligned with the minimum necessary standard
  • Obligation to implement administrative, physical, and technical safeguards
  • Breach notification within 24 hours of discovery to covered entity
  • Return or destruction of PHI upon termination of the agreement
  • Right of covered entity to audit compliance
  • Obligation to ensure subcontractors agree to equivalent restrictions
  • Designation of a HIPAA Privacy Officer and Security Officer

To request a BAA or discuss compliance requirements for your organization, contact us at compliance@peptidepal.app.

Questions about our security practices?

We're happy to discuss our security architecture, provide additional documentation, or schedule a call with your compliance team.

PeptidePal© 2026 PeptidePal. All rights reserved.