A new random key is generated on the client-side when new data is about to be stored. This local key is used to encrypt with AES256-GCM, which provides data integrity and confidentiality.
Since the encryption key is generated and remains on your side, we can not access the information.
On top of the end-to-end encryption, all communication is always HTTPS, using TLS 1.3. Then, when data reaches our servers, it's encrypted at rest using AES256, with custom managed keys that we audit and rotate.
We monitor every single event happening in our end. This enables governance, compliance, operational auditing, and risk auditing. We work with third parties that audit and automate our security checks.
Automatic unusual activity detectionCompliance with regulatory standardsApplication level monitoringInfrastructure level monitoringOur services run on a multi-cloud setup fully compliant with HIPAA and GDPR requirements, ensuring that all the physical security and access control sits on top the strictest security requirements.
We provide a data durability of 22-nines, the highest in the market. Thanks to cross-regional backups, and object-locking mechanisms, we can ensure that no data can be removed or modified during the specified timeframe.
Our solution conforms with the SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31.
We architected our backend and infrastructure to prevent systemic issues and data leaks that affect all our users.
Measures are in place so storage, datasets and databases are properly isolated for each client, including the usage of different master keys.
Mandatory code reviews and automated checksExtensive integration, regression and unit tests for backend, API and infrastructureBcrypt hashed passwords (12 complexity)Full traceability of any code changeIsolated, inmmutable and capped containerized deploymentsSend us a PGP encrypted email to security@set.health using our public key.
Check our security.txt for more details.