Skip to main content
ForensicShield(go to home page)
Security

Built as a HIPAA Business Associate — not retrofitted for it.

ForensicShield treats your reports the way the next auditor or plaintiff’s attorney would expect them to be treated. Encryption you cannot weaken without rewriting the codebase, audit logs you cannot quietly edit, and a default of failing closed when something unexpected happens.

Zero-Exposure ArchitecturePHI never leaves AWS Bedrock
Encrypted at Every LayerAES-256-GCM with AWS KMS envelope keys
Tamper-Proof Audit TrailAppend-only logs, 7-year retention
BAA RequiredSigned before any PHI upload
How Your Data Is Protected

Four layers of defense — built into the architecture, not bolted on.

Encryption

Encryption that travels with the data, not just the disk

Every PHI field is encrypted at the application layer before it touches the database. We use AES-256-GCM with envelope encryption: a unique data encryption key per operation, zeroed from memory after use, protected by a customer-managed master key in AWS KMS that rotates every 365 days and never leaves AWS hardware.

  • 42 encrypted PHI columns across the main application schema, plus 26 columns on the Legal side
  • Three separate customer-managed KMS keys — main app, Legal, and disk-layer
  • S3 bucket policies reject any non-encrypted upload
Tenant isolation

Walls between organizations

If you work at a multi-evaluator practice, you are not sharing tables with strangers. Every query is scoped to your organization at two independent layers: the application code filters by your org ID, and PostgreSQL Row-Level Security policies enforce the same restriction at a layer the application cannot bypass.

  • 22 RLS-protected tables in the main application database
  • Application-layer org-scoping on every query, fail-safe to zero rows
  • Audited every time a new table is added to the schema
Access

Who gets in, how, and for how long

Multi-factor authentication is mandatory — not an optional Security tab. The application checks the MFA claim on every request and fails closed if it cannot prove you passed. Sessions time out after 15 minutes of server-enforced inactivity. Every access is captured in an append-only audit log.

  • Mandatory MFA with fail-closed enforcement on every request
  • 15-minute server-side session timeout, multi-instance safe
  • Append-only audit log retained for 7 years (2,557 days)
Error handling

What is kept out of our error reports

When something breaks, engineers need diagnostic information — but they do not need patient names. Every error report runs through a multi-layer scrubber that strips request bodies, removes any field ending in _encrypted, and scans free text for SSNs, dates of birth, addresses, MRNs, ICD-10 and DSM-5 codes, and psychological test score patterns. If the scrubber fails, the error report is dropped.

  • Request bodies stripped before any error report leaves the platform
  • Pattern-matched scrubbing for SSNs, DOBs, MRNs, test scores, and PHI fields
  • Session replay disabled platform-wide so screen contents are never captured
AI Data Flow

Where your report goes after you click upload.

Four stages, one security boundary. Anthropic’s model runs inside AWS Bedrock — your report never leaves AWS infrastructure.

Step 1

Upload

Your browser sends the report over TLS 1.2/1.3. AWS WAF inspects the request before it reaches the application.

TLS encrypted
Step 2

Encrypt at rest

Application-layer AES-256-GCM with a unique key per operation, wrapped by a customer-managed AWS KMS master key.

AES-256-GCM
Step 3

AI inference

Claude runs inside AWS Bedrock — the same security boundary as the database. Anthropic never receives your data.

AWS Bedrock
Step 4

Output & audit

Findings encrypted with the same envelope scheme. Every view, export, and edit is captured in the append-only audit log.

Audit logged

Steps 2 through 4 happen entirely inside the AWS security boundary. No PHI is sent to Anthropic, OpenAI, Google, or any other AI vendor. AWS Bedrock is covered by the same Business Associate Agreement that covers our database and storage.

Data Processing

One subprocessor with PHI access. That is on purpose.

Compare this to platforms with separate BAAs across OpenAI, Anthropic, Pinecone, Redis Cloud, and three analytics vendors. We architected the platform to keep that list at one.

SubprocessorRoleBAAPHI Access
Amazon Web Services (AWS)
All compute, storage, database, AI inference (Bedrock), KMS, loggingSignedFull — only subprocessor with PHI access
Clerk
Authentication and MFANot requiredPractitioner identifiers only (email, name)
Stripe
Billing and subscription managementNot requiredOrganization email, tier, internal ID — no clinical content
CourtListener
Case-law citation verificationNot requiredFormatted citation strings only
LegiScan, Open States
Public legislative dataNot requiredRead-only public data, no outbound PHI

Anthropic is NOT a subprocessor. Their model runs inside AWS Bedrock, covered by the same AWS Business Associate Agreement that covers our database and storage. Anthropic never receives, processes, or stores your report content.

For the complete vendor list, see our subprocessors page.

Business Associate Agreement

BAA required before any PHI upload.

Every customer organization signs a BAA with ForensicShield before uploading. It is not a checkbox buried in a Terms of Service — it is a separate, scroll-to-the-bottom acknowledgment inside the application, recorded with your identity, a timestamp, and a cryptographic hash of the exact text you saw. If the BAA is ever revised, you re-accept the new version before you can continue.

Our own upstream BAAs are in place before we ever touch PHI. AWS is signed; the rest of our stack does not handle PHI and does not require one.

Security Testing

Five overlapping schedules.

Security testing at ForensicShield runs continuously, weekly, monthly, on every commit, and on every alarm.

Every commit

Lint, type-check, full automated test suite, migration integrity check, and a dependency vulnerability audit that blocks merges if any dependency has a known high or critical severity finding.

Every week

OWASP ZAP DAST scans run every Sunday against the deployed platform. Findings are reviewed and tracked in a version-controlled rules file with explicit suppression justifications.

Every month

Backup restore verification runs on the first of every month, restoring the latest snapshot to an isolated environment, validating it, and cleaning up. Failures raise an alarm.

Continuously, in AWS

Inspector v2 scans every container image and Lambda. GuardDuty monitors for anomalies. Security Hub checks our posture against CIS AWS Foundations and AWS Foundational Security Best Practices.

On an alarm

Seventy-plus CloudWatch alarms watch for authentication failure spikes, unhealthy containers, error rate spikes, dead-letter queue growth, and Inspector critical findings.

Backup & Retention

Recovery is automated — and tested.

Database backups

Automated daily backups with continuous point-in-time recovery. The main application database retains seven days; the Legal database retains 35 days and runs Multi-AZ. All backups are encrypted with the same customer-managed KMS keys described above.

Restore testing

An automated script picks the latest snapshot, restores it to a temporary instance, validates encryption and connectivity, produces a compliance report, and cleans up after itself. HIPAA asks us to test our contingency plan — we automate it.

Object storage

Original uploads in S3 have versioning enabled. PHI buckets block public access at four levels of configuration, reject non-encrypted uploads, and reject any non-HTTPS connection.

Log retention

Audit logs, database logs, container logs, VPC flow logs, and CloudTrail API logs are retained for 7 years (2,557 days) — one year past the HIPAA minimum, with the extra year as a buffer for incidents that come to light slowly.

Zero-Exposure ArchitecturePHI never leaves AWS Bedrock
Encrypted at Every LayerAES-256-GCM with AWS KMS envelope keys
Tamper-Proof Audit TrailAppend-only logs, 7-year retention
BAA RequiredSigned before any PHI upload
HIPAA Compliant
AES-256
TLS 1.2/1.3

Your data deserves this level of protection.

Try ForensicShield on a sample report — no upload required. Then run your own.

Run a Free Sample Analysis →

14-day free trial · 2 reports included (1 sample + 1 of your own) · A payment method is collected for identity verification — your card will not be automatically charged when the trial ends · HIPAA compliant