SECURITY
Security isn't a feature we added later. It's an architectural decision that shaped every line of code in the platform. Here's how we protect the most personal data you'll ever generate.
HIPAA-compliant architecture
Inevid is built on HIPAA-eligible AWS infrastructure with executed Business Associate Agreements (BAAs) with every vendor that touches Protected Health Information. This isn't a checkbox exercise — it's how we designed the system from the ground up.
Encryption everywhere
At rest
AES-256 encryption via AWS KMS — every user gets their own encryption key
In transit
TLS 1.3 for all connections between your browser, our servers, and our database
Key management
AWS Key Management Service — keys stored in FIPS 140-2 validated hardware security modules
Key isolation
Your encryption key is separate from our application database — compromising one doesn't compromise the other
On account deletion
Your key is destroyed, making all associated data permanently unrecoverable
Direct-to-S3 genome uploads
When you upload a genome file (VCF, BAM, or CRAM), it travels directly from your browser to encrypted AWS S3 storage. The file bytes never pass through our application servers. Here's how it works:
1. Your browser requests a time-limited presigned upload URL (valid for 15 minutes).
2. Your file uploads directly to S3 over TLS 1.3, encrypted at rest with your personal KMS key.
3. Our server receives only a notification that the upload completed — never the file contents.
This eliminates an entire category of exposure risk. Even in the unlikely event of a server compromise, your genome file was never there to steal.
De-identified AI pipeline
Our AI health companion (Eddie) never sees your full identity. Before any data reaches the AI model, our PHI sanitization layer strips:
The AI receives only: genetic variant rsIDs and genotypes, biomarker names and values, supplement and medication names, and your first name (Safe Harbor compliant when isolated from all other identifiers).
Every AI API call is logged to a HIPAA-compliant audit trail with a sanitized payload preview — never the raw content.
AWS infrastructure
Inevid runs entirely on Amazon Web Services, using only HIPAA-eligible services:
Compute
AWS EC2 (Ubuntu) — application server
Database
AWS RDS PostgreSQL — encrypted at rest and in transit
Storage
AWS S3 — server-side AES-256 encryption with KMS keys
Key management
AWS KMS — FIPS 140-2 Level 2 validated
DNS & CDN
Cloudflare (Full Strict TLS mode)
Region
us-east-2 (Ohio) — all data stays in the US
SSL certificates
Certbot via Nginx — auto-renewed
Access controls
Your data is accessible only to you. Inevid employees cannot access user health data — this is enforced architecturally, not just by policy. All internal data access is through synthetic test environments. Every access event is logged per HIPAA §164.312(b).
Authentication uses industry-standard JWT sessions with bcrypt password hashing. All dashboard routes are protected by middleware that verifies your session before serving any page or API response.
Vulnerability reporting
If you discover a security vulnerability in Inevid, please report it responsibly to [email protected]. We take every report seriously and will respond within 48 hours.
We do not pursue legal action against security researchers who act in good faith. If you identify a genuine vulnerability, we'd rather know about it than not.
Inevid Security Overview · Version 1.0 · March 2026