Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated service architecture diagram

Production and Integration environments

The diagram below shows the Tidepool Production environment in detail.

Live Search
spaceKey@self
additionalpage excerpt
placeholderSearch this space

Image RemovedTidepool Platform Services v4.pngImage Added

Figure 2: Tidepool Production Environment

Page Tree

All Production, Integration, Operations, and Development services are hosted on dedicated, HIPAA-compliant AWS EKS Kubernetes clusters.

All Analytics and Sandbox environments are hosted on dedicated HIPAA-compliant environments, though do not contain PHI.

Our Operations, Development, and Sandbox environments are only used internally for Tidepool development, do not host end-user PHI, and are not covered under our HIPAA BAAs, but run in identical and separate environments for consistency in development, testing, and data isolation.

Tidepool uses a standard micro distribution of Linux called Alpine, which is secured by default and has had all unnecessary software packages and dependencies removed to minimize system footprint and make it resistant to attacks by removing all software that is not used. Software and services not installed do not need to be patched.

Info

All production user data is hosted in MongoDB instances running inside of MongoDB Atlas.

These Database as a Service (DBaaS) instances also run on AWS, but with the infrastructure for the databases handled as a managed service, under the care of MongoDB. MongoDB Atlas handles backups, software upgrades/patching of databases, network security.

All environments also store data in secure private encrypted AWS S3 buckets. There is no access granted to these S3 buckets other than via explicit policy, and only systems hosting the data and Tidepool AWS administrators may access S3 buckets. See Production access for additional details.

Network environments and virtual instances are designed and configured to restrict and monitor traffic between trusted and untrusted connections.

Tidepool Services run as a single multi-tenant, and data access is restricted via RBAC and Access Controls.

To synchronize the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines, all Tidepool servers sync to nist.gov using Network Time Protocol (NTP) or to Amazon Web Services NTP sources that do the same.