Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Tidepool's HIPAA-compliant cloud platform is hosted on Amazon Web Services (AWS) with data hosted in MongoDB Atlas.

Architecture overview

  • All data, at all times, is transmitted using secure, industry-standard, encrypted protocols (HTTPS, TLS 1.2).

  • All data, at all times, is encrypted at rest using AES-256-bit encryption.

Tidepool has multiple, isolated network and compute environments, environments and clusters used for different purposes, architected and informed by AWS recommendations for HIPAA-compliant services:

  • Production server environment; this is where all end-user data is stored, including PHI covered under HIPAA.

  • Integration test environment for 3rd party developers to use as a test sandbox for their applications that access our APIs; this environment may also contain PHI covered under HIPAA.

  • Analytics environment - may contain PHI under analysis and/or in the process of being de-identified for use in the Big Data Donation Project

    • This is a private environment, with no non-Tidepool access.

Other environments that are hosted on HIPAA-compliant services but do not host PHI:

  • Operational clusters and environment hosting tools, monitoring, analytics, logging and alerting facilities; this environment is not used for PHI covered under HIPAA.

  • Sandbox environments - testing/evaluation ops environment for tools and technology; this environment is not used for PHI covered under HIPAA.

  • QA environments - development environments, for day-to-day iteration by our development staff; this environment is not used for PHI covered under HIPAA.

The Production environment features multiple auto-scaling groups and is hosted in multiple Availability Zones.

The Production database is hosted in triplicate (primary-secondary-secondary) in multiple Availability Zones, and is additionally backed up hourly.

All of our servers are currently hosted in the us-west-2 Region of AWS.

The overall system architecture is shown below. A more detailed diagram and description of the production environment (PRD) follows in Service Architecture.

Figure 1: Tidepool Overall AWS System Architecture

The PRD environment is logically isolated in its own Virtual Private Cloud (VPC) from other environments. Different network environments can access each other only as explicitly permitted via policy and permissions managed in Infrastructure as Code (e.g. GitOPS), and are operated under a zero-trust network policy. Non-authenticated traffic is not permitted and all traffic is encrypted within clusters using TLS.

Redundant servers are maintained in multiple Availability Zones within AWS US-West 2; detailed in Availability Zones.

  • No labels