How we protect your data.

Health profile and PHI fields are encrypted individually before being written to the database. We use AES-256-GCM envelope encryption backed by AWS KMS: KMS generates a unique 256-bit data key per operation; that data key encrypts the field value, then is itself stored encrypted alongside the ciphertext. The plaintext data key exists only in memory during the operation and is securely zeroed on completion — it is never persisted in any recoverable form.

An encryption context (table + column + user_id) is passed to KMS on every call. KMS ties this to its own audit record and refuses a decrypt request if the context doesn’t match the original encrypt call — preventing key reuse across different data owners or fields.

Beyond field-level encryption: the database is encrypted at rest with a dedicated customer-managed KMS key, uploaded files with a separate S3 KMS key, and application secrets with a Secrets Manager KMS key. All keys have annual automatic rotation enabled.

Every connection to Arctuva is served over HTTPS. Load balancers enforce TLS 1.2 as a minimum and prefer TLS 1.3; plain HTTP connections are redirected. Certificates are issued and auto-renewed through AWS Certificate Manager.

Application containers run in private VPC subnets with no direct internet exposure. The load balancer is the only internet-facing surface. Each ECS service runs with a least-privilege IAM role scoped to only the AWS resources it needs.

Every read, write, or delete of a protected health field generates a structured audit event recording: who accessed it (user ID, role, session ID, IP address), what was accessed (resource type, subject user, specific columns), the outcome (success or denied), and a timestamp.

Audit events are written simultaneously to two independent stores: a Postgres audit_log table and a KMS-encrypted CloudWatch log group (/arctuva/audit). An outage in one does not affect the other. AWS CloudTrail records all management-level API events separately.

Participant identity is verified through Avarithim, a privacy-preserving identity network. Arctuva confirms your identity without retaining copies of your raw identity documents — verification is cryptographic, not document-storage-based.

How verification works →

You can request deletion, export, or correction of your data at any time from your account settings. Account deletion cascades to all PII fields. Data export packages your complete profile and activity history for download. These rights are backed by implemented infrastructure, not just policy.

Privacy Policy — full data-rights details →

Production errors are captured in real time by Sentry. Automated CloudWatch alarms fire on CPU saturation, storage thresholds, connection pool depth, ALB error rates, and email delivery failures — all routed to an on-call operator. We maintain a documented incident runbook covering detection, investigation, and recovery procedures for common failure classes.