Security & Compliance
HIPAA compliance
is not an add-on
Your clients trust you with their most personal information. We built GlowScript so that trust is never at risk. Every layer of the platform — from the infrastructure to the interface — is designed to protect patient data.
Data Protection
Encrypted at every layer
Encryption at Rest
All data is encrypted using AES-256 with AWS Key Management Service (KMS). Database storage, file uploads, backups — nothing is stored unencrypted.
Encryption in Transit
Every connection uses TLS 1.2 or higher. API calls, browser sessions, and internal service communication are all encrypted end-to-end.
Network Isolation
The database runs inside a private VPC with no public internet access. Only authorized application servers can reach it through private subnets.
US-Only Data Residency
All data is stored and processed in AWS data centers within the United States. No data ever leaves US jurisdiction.
Secure Backups
Automated, encrypted database backups with point-in-time recovery. Backup data follows the same encryption and access controls as primary data.
Secrets Management
All credentials and keys are stored in AWS Secrets Manager with automatic rotation. No secrets are ever hardcoded or stored in source code.
Access Controls
The right people,
the right access
HIPAA requires that only authorized individuals can access protected health information — and only the minimum necessary for their role. GlowScript enforces this at every level.
Multi-Factor Authentication
MFA is enforced for all users, not optional. Time-based one-time passwords (TOTP) via any authenticator app. Recognized devices are remembered so it stays seamless for daily use.
Role-Based Access Control
Granular permissions by role — owners, providers, front desk, and custom roles. Each role sees only what they need. No blanket admin access.
Automatic Session Timeout
Inactive sessions are automatically terminated with a warning before sign-out. Configurable per practice to meet your security policies.
Invite-Only Onboarding
No self-registration. Every user is explicitly invited by a practice administrator, ensuring only authorized personnel have access.
Audit & Monitoring
Complete accountability
6-Year Audit Logs
Every access, modification, and administrative action is logged and retained for six years, meeting HIPAA requirements for accounting of disclosures.
Infrastructure Logging
AWS CloudTrail captures all API activity across the platform. VPC flow logs track every network connection. All logs are encrypted and immutable.
Real-Time Monitoring
Automated alerting for suspicious access patterns, failed authentication attempts, and unusual data access. Issues surface immediately, not in a quarterly audit.
Breach Notification
In the unlikely event of a security incident, we follow the HIPAA Breach Notification Rule — notifying affected practices within 60 days per 45 CFR §§ 164.400–414.
Disaster Recovery
Your data is
always recoverable
Business continuity is a core part of HIPAA compliance. GlowScript maintains documented disaster recovery procedures with defined recovery objectives, tested quarterly and updated after every infrastructure change.
Continuous Database Backups
Point-in-time recovery with 5-minute granularity and 35-day retention. Your data can be restored to any moment within the past five weeks — down to the second.
1-Hour Recovery Target
Our infrastructure is fully defined as code. In the event of a complete outage, the entire platform can be rebuilt and restored from backups within one hour.
Versioned File Storage
All uploaded documents, photos, and clinical files are stored with versioning enabled. Even if a file is accidentally deleted, every previous version is retained and recoverable.
Deletion Protection
Critical infrastructure — the database, user directory, and encryption keys — has deletion protection enabled, preventing accidental or unauthorized destruction.
Compliance
Business Associate Agreement included
Every GlowScript subscription includes a signed Business Associate Agreement that covers all requirements under 45 CFR § 164.504(e). No separate contract, no legal back-and-forth, no extra fees. Practices that require a custom BAA can work with our legal team directly.
Infrastructure
Built on AWS
GlowScript runs entirely on Amazon Web Services under a signed AWS Business Associate Addendum. AWS maintains SOC 1, SOC 2, SOC 3, ISO 27001, and HITRUST certifications. Our architecture uses AWS services purpose-built for regulated workloads.
Aurora PostgreSQL
Encrypted database with automated backups
CloudFront + WAF
Edge delivery with web application firewall
Cognito
Identity management with enforced MFA
KMS
Encryption key management and rotation
CloudTrail
API activity logging and audit trail
VPC
Network isolation with private subnets
Questions about security?
We are happy to walk through our security posture in detail, provide additional documentation for your compliance team, or discuss custom requirements for your practice.
security@glowscript.ai