Compliance
Security & HIPAA Compliance
Canine operates as a HIPAA Business Associate and is built to meet the security requirements of the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. Each practice executes a Business Associate Agreement (BAA) with Canine before processing ePHI. This page provides transparency into how we protect electronic Protected Health Information (ePHI).
Last updated: March 11, 2026
Infrastructure
Canine runs on a fully cloud-hosted architecture with no on-premise servers. All infrastructure providers maintain their own HIPAA compliance programs.
| Component | Provider | Purpose | BAA |
|---|---|---|---|
| Database | Convex | Primary ePHI storage | Pending |
| Compute & CDN | AWS | Lambda, CloudFront, API Gateway | Signed |
| Object Storage | AWS S3 | Encrypted backups, static assets | Signed |
| AI Services | AWS Bedrock & Transcribe Medical | Clinical note assistance (transient processing) | Signed |
| SendGrid (Twilio) | Verification & password reset only | Pending |
Access Controls
- Authentication
- Email/password with mandatory email verification. Minimum 12-character passwords.
- Multi-Factor Authentication
- TOTP-based MFA (6-digit codes, 30-second rotation) with 10 offline backup codes. Required for all users accessing ePHI.
- Session Management
- 15-minute idle timeout, 8-hour absolute session maximum, 1-hour silent refresh cycle.
- Practice Isolation
- Data is isolated at the practice level. Users can only access data belonging to their associated practice.
- Rate Limiting
- Authentication endpoints limited to 10 requests per 60 seconds. WAF rate limiting at 2,000 requests per 5-minute window per IP.
Encryption
- In Transit
- TLS 1.2+ on all connections — CloudFront, API Gateway, Convex, S3, and SendGrid. HTTP is never accepted.
- At Rest
- AES-256 encryption on all S3 buckets (assets, backups, CloudTrail logs). Convex provides encryption at rest for all stored data.
- S3 SSL Enforcement
- All S3 buckets enforce SSL via bucket policies. Unencrypted access is denied at the bucket level.
Audit Controls
All access to ePHI is logged. Canine maintains three layers of audit logging:
- Application Audit Logs
- Every create, read, update, and delete on PHI tables is logged with userId, action, table, document ID, and timestamp. Write operations are logged server-side; read operations are logged via authenticated client-side mutations.
- AWS CloudTrail
- All AWS API calls are logged to a dedicated S3 bucket with log file validation enabled. Logs transition to Glacier after 90 days and are retained for 6 years.
- API Gateway Access Logs
- Every HTTP request is logged with IP, method, path, status, and timestamp. Retained in CloudWatch for 1 year.
- Automated Audit Reports
- Automated compliance reports detect cross-practice access, bulk deletions, high-volume reads, unauthorized API access, and off-hours activity.
Application audit logs are retained for 90 days in hot storage and 6 years in encrypted S3 cold storage (Glacier), satisfying the HIPAA retention requirement under 45 CFR 164.530(j).
Network Security
- Web Application Firewall
- AWS WAF with OWASP Core Rule Set, SQL injection protection, known bad inputs blocking, and IP-based rate limiting.
- DDoS Protection
- CloudFront edge network provides built-in DDoS mitigation at the network and transport layers.
- Origin Protection
- API Gateway origin is only accessible through CloudFront. Direct access to the Lambda function is not exposed.
Backup & Recovery
- Nightly Backups
- Automated nightly backups of all production data at 2:00 AM UTC via GitHub Actions. Backups are encrypted and uploaded to a dedicated S3 bucket.
- Retention
- Backups are stored in S3 Standard for 30 days, then transition to S3 Glacier for long-term archival. Total retention: 6 years (2,190 days).
- Immutability
- S3 versioning prevents overwrite. Glacier storage is effectively immutable. The bucket deletion policy is set to RETAIN, surviving even infrastructure teardown.
- Recovery
- Documented restore procedures with tested scripts. Recovery testing performed at least annually.
Policies & Documentation
Canine maintains comprehensive HIPAA documentation, reviewed annually and retained for 6 years:
- Business Associate Agreement— Executed with each Practice before ePHI processing begins — covers permitted uses, safeguards, breach notification, and termination
- Policies and Procedures— Access control, audit, integrity, transmission security, incident response, backup/recovery, password, data retention, acceptable use
- Security Risk Assessment— Formal risk analysis with addressable requirements matrix and risk tolerance statement
- Security & Privacy Officer Designation— Dual Security Officer / Privacy Officer role with defined responsibilities
- Workforce Training Program— 8-module security training with annual requirement and acknowledgment forms
- Workforce Sanction Policy— Progressive discipline for HIPAA violations with investigation procedures
- Emergency Access Procedure— Break-glass procedures for MFA lockout, system outage, data recovery, and breach response
- Incident Response & Breach Notification— HIPAA Breach Notification Rule compliance with determination examples and notification timelines
Incident Response
Canine follows a structured incident response process: contain, assess, preserve evidence, eradicate, recover, and document.
In the event of a confirmed breach of unsecured ePHI, the Practice will comply with the HIPAA Breach Notification Rule (45 CFR 164.400–414), including individual notification within 60 days, HHS notification, and media notification where required.
Contact
For security questions, compliance inquiries, or to report a potential security concern:
Security & Privacy Officer — Practice Administrator
[Name, Email, Phone]
This page is maintained by the Canine Security & Privacy Officer. Full policy documents are available upon request for auditors and authorized parties.