Open

 

Figure 2: Tidepool Production Environment

All Production, Integration, Operations, and Development services are hosted on dedicated, HIPAA-compliant AWS EKS Kubernetes clusters.

All Analytics and Sandbox environments are hosted on dedicated HIPAA-compliant environments, though do not contain PHI.

Our Operations, Development, and Sandbox environments are only used internally for Tidepool development, do not host end-user PHI, and are not covered under our HIPAA BAAs, but run in identical and separate environments for consistency in development, testing, and data isolation.

Tidepool uses a standard micro distribution of Linux called Alpine, which is secured by default and has had all unnecessary software packages and dependencies removed to minimize system footprint and make it resistant to attacks by removing all software that is not used. Software and services not installed do not need to be patched.

These Database as a Service (DBaaS) instances also run on AWS, but with the infrastructure for the databases handled as a managed service, under the care of MongoDB. MongoDB Atlas handles backups, software upgrades/patching of databases, network security.

All environments also store data in secure private encrypted AWS S3 buckets. There is no access granted to these S3 buckets other than via explicit policy, and only systems hosting the data and Tidepool AWS administrators may access S3 buckets. See Production access for additional details.

Network environments and virtual instances are designed and configured to restrict and monitor traffic between trusted and untrusted connections.

Tidepool Services run as a multi-tenant, and data access is restricted via RBAC and Access Controls.