Security for your peace of mind

We take careful measures to ensure any data is as safe as possible

End-to-end encrypted.

A new random key is generated on the client-side when new data is about to be stored. This local key is used to encrypt with AES256-GCM, which provides data integrity and confidentiality.

Since the encryption key is generated and remains on your side, we can not access the information.

Encryption in transit and at rest.

On top of the end-to-end encryption, all communication is always HTTPS, using TLS 1.3. Then, when data reaches our servers, it's encrypted at rest using AES256, with custom managed keys that we audit and rotate.

Detailed monitoring.

We monitor every single event happening in our end. This enables governance, compliance, operational auditing, and risk auditing. We work with third parties that audit and automate our security checks.

  • Automatic unusual activity detection
  • Compliance with regulatory standards
  • Application level monitoring
  • Infrastructure level monitoring

No read/write permissions.

On top of data encryption, we ensure no employee even gets read or write permissions.

We have architected our services, so data can never be altered and requires no human intervention.

HIPPA compliant infrastructure.

Our services run on a multi-cloud setup fully compliant with HIPAA and GDPR requirements, ensuring that all the physical security and access control sits on top the strictest security requirements.

99.99999999999999999999% durability.

We provide a data durability of 22-nines, the highest in the market. Thanks to cross-regional backups, and object-locking mechanisms, we can ensure that no data can be removed or modified during the specified timeframe.

Our solution conforms with the SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31.

Multitenancy design.

We architected our backend and infrastructure to prevent systemic issues and data leaks that affect all our users.

Measures are in place so storage, datasets and databases are properly isolated for each client, including the usage of different master keys.

And more...

  • Mandatory code reviews and automated checks
  • Extensive integration, regression and unit tests for backend, API and infrastructure
  • Bcrypt hashed passwords (12 complexity)
  • Full traceability of any code change
  • Isolated, inmmutable and capped containerized deployments

Found a vulnerability?

Send us a PGP encrypted email to security@set.health using our public key.

Check our security.txt for more details.