1. Infrastructure & Hosting

Ruana’s platform is hosted exclusively on Amazon Web Services (AWS). Our primary deployment region is US East (N. Virginia), with infrastructure designed for high availability and redundancy. AWS maintains 24/7 physical security, biometric access controls, unmarked facilities, battery and generator backup power, and full CCTV coverage. Details: aws.amazon.com/compliance/data-center/controls

2. Encryption

2.1 Encryption in Transit

All data transmitted between users and Ruana’s servers is encrypted using TLS 1.2 or higher (TLS 1.3 preferred). All HTTP traffic is automatically redirected to HTTPS. Unencrypted connections are not permitted.

2.2 Encryption at Rest

All data stored in Ruana’s databases (AWS RDS/Aurora) and file storage (AWS S3) is encrypted at rest using AES-256 encryption. Database credentials are managed through AWS Secrets Manager and are never hardcoded or stored in plaintext.

3. Access Controls

• Ruana staff do not have access to practitioner or patient account data
• All AWS infrastructure access requires multi-factor authentication (MFA)
• Access follows the principle of least privilege
• Application services use IAM roles rather than long-lived access keys
• All privileged access is logged and auditable
• Customer support via Featurebase does not involve access to clinical or patient records

4. Audit Logging

• AWS CloudTrail enabled across all regions — management and data events
• CloudTrail logs stored in encrypted S3 buckets with log file validation enabled
• Logs retained for a period consistent with HIPAA and industry best practices
• Application-level audit logs track system access, security events, and administrative actions
• VPC Flow Logs capture network-level activity

5. Network Security

• All application services run in private subnets with no direct public internet access
• Public traffic routed exclusively through AWS Elastic Load Balancer with HTTPS enforcement
• Security groups follow least-privilege rules
• Database instances not publicly accessible — operate within private network segments
• AWS GuardDuty provides continuous threat detection and monitoring

6. Data Backup & Recovery

• Automated daily backups of all databases with minimum 7-day retention
• All backups encrypted using AES-256
• Backups stored across multiple AWS availability zones for redundancy
• Recovery procedures tested regularly

7. Two-Factor Authentication

Two-factor authentication (2FA) is available for all Ruana user accounts and is strongly recommended. 2FA is enforced for all Ruana administrative and infrastructure access.

8. Vulnerability Management

• Regular review of security configurations against industry best practices
• AWS Security Hub monitoring with HIPAA standard checks
• Dependency and library updates reviewed and applied regularly
• Infrastructure monitored 24/7 through AWS CloudWatch with alerts for anomalous activity

9. Subprocessor Security

All third-party service providers are contractually required to maintain appropriate security standards. Ruana has executed Data Processing Agreements with all subprocessors. Our current subprocessor list is in our Data Processing Agreement.

10. Incident Response

In the event of a confirmed or suspected data breach:

• Affected Subscribers notified within 72 hours where required by GDPR
• HIPAA breach notification procedures followed per 45 C.F.R. § 164.410
• Full cooperation with Subscribers in meeting notification obligations

11. HIPAA Compliance

For US-based healthcare practitioners, Ruana operates as a HIPAA Business Associate. Ruana has executed a Business Associate Addendum (BAA) with AWS. Security practices are designed to meet HIPAA Security Rule requirements (45 C.F.R. Part 164, Subpart C) including administrative, physical, and technical safeguards.

12. Questions & Security Reports

For security questions or to report a vulnerability: support@getruana.com
Ruana LLC | 548 Market St #228047 | San Francisco, CA 94104 | USA

This Security Overview is incorporated by reference into the Ruana Data Processing Agreement.