HIPAA & security

Built HIPAA-ready from day one — honest about where we are right now

This page exists for two readers: a parent who wants to understand what protects their family's information, and a provider's compliance officer who needs the specifics. Both of you should leave with the answer you came for. If something here is unclear, email security@slscompass.org.

Last updated: April 25, 2026.

Where we are right now

No Protected Health Information (PHI) is stored on the platform yet. The features that handle medical or care content — document upload, care schedules, provider notes — ship in a future milestone. We won't turn those features on until vendor Business Associate Agreements (BAAs) are signed with every party that could touch PHI: Cloudflare Enterprise, WorkOS Enterprise, Resend Pro, and AWS.

What "HIPAA-ready" means concretely

HIPAA isn't something we plan to bolt on later. The technical posture is live today, even though there's no PHI to protect yet:

  • TLS 1.2+ enforced on every request. No HTTP, no insecure ciphers.
  • 15-minute idle session timeout, sliding-refreshed on activity. Aligned with HIPAA best practice for health-data sessions.
  • Append-only audit log of every authenticated action. The application has no code path that updates or deletes audit entries; the table is enforced as write-only.
  • No PHI in error logs, Sentry, console output, or telemetry. Sentry uses a strict allowlist of fields — anything outside it is scrubbed before transmission.
  • IP addresses are SHA-256 hashed with a daily-rotating salt before being written to the audit log. The hash isn't reversible to an IP.
  • Role-based access control in middleware. Family members, providers, and case managers each see only what their role permits.
  • S3 + KMS document bucket already provisioned, encrypted at rest, ready for documents the day they're allowed to land.
  • Strict Content-Security-Policy headers at the edge, plus HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
  • Defense-in-depth at the Cloudflare edge — WAF, DDoS protection, rate limiting on every endpoint.

What will be stored as PHI in a future release

When the document layer ships, families and case managers will be able to upload:

  • The Individual Program Plan (IPP) and prior-year IPPs.
  • Eligibility letters from the San Diego Regional Center.
  • Doctor's notes, evaluations, and diagnostic records.
  • Care schedules and medication reminders.

Every document is encrypted at rest with KMS-managed keys, scanned for malware on upload, served only via short-lived signed URLs, and audit-logged on every read or download. Documents are never indexed, never trained on, and never shared with another party without your explicit per-document consent.

What we will never do

  • Sell your data. Not now, not ever.
  • Use your information to train artificial-intelligence models without your explicit, per-feature consent.
  • Allow third-party analytics (Google Analytics, Mixpanel, the Facebook pixel, etc.) to touch any account or PHI data.
  • Hand data to advertisers.
  • Become a data broker.

Breach response

The full breach-response runbook lives in our internal security documentation, finalized alongside the document-upload milestone. The short version: if a breach is discovered, we will notify every affected person within 60 days, in plain language, telling you exactly what was accessed, what we're doing about it, and what you can do to protect yourself. Required regulators are notified within the same window per HIPAA Breach Notification Rule.

Vendor Business Associate Agreements (BAAs)

PHI does not land until every vendor below has a signed BAA on file. Negotiations are in progress as of the date at the top of this page.

Vendor Covers Status
Cloudflare Enterprise Hosting, D1 database, KV, edge cache, Workers Required before any PHI lands. Lead time 4–8 weeks. In negotiation
WorkOS Enterprise Authentication and session management Required before any PHI lands. In negotiation
Resend Pro Transactional email (welcome, reminders) Required for any PHI in email content. We avoid PHI in email today. In negotiation
Amazon Web Services S3 document storage and KMS encryption keys Will be signed before document upload ships. Standard BAA available

Security & compliance contact

For security questions, BAA requests from providers or case managers, or to report a vulnerability, email security@slscompass.org. We acknowledge every report within two business days.