Military Level Security
Your Health Data, Protected
We take the security and privacy of your health information seriously. Built on AWS with military-level encryption, your data is protected by the same security infrastructure trusted by the world's largest organizations.
Data Encryption
256-bit AES Encryption at Rest
All stored data is encrypted using AES-256, the same encryption standard used by banks, government agencies, and military organizations worldwide.
- Server-side encryption enabled on all S3 buckets
- DynamoDB encryption at rest using AWS-managed keys
- Encryption keys rotated automatically by AWS KMS
TLS 1.3 Encryption in Transit
Every connection to SmarterBlood uses TLS 1.3, the latest and most secure transport layer protocol.
- HTTPS enforced on all endpoints
- HTTP Strict Transport Security (HSTS) enabled
- Perfect Forward Secrecy (PFS) supported
- SSL Labs A+ rating
Secure Authentication
Your account is protected by industry-standard authentication powered by AWS Cognito.
- Strong password requirements enforced
- Secure password hashing (bcrypt)
- Magic link email verification
- Session tokens with automatic expiration
Secure Infrastructure
Triple-Certified Infrastructure
Built entirely on AWS, which maintains SOC 2 Type II, ISO 27001, and ISO 9001 certifications.
- SOC 2 Type II: Security controls independently audited
- ISO 27001: Information security management certified
- ISO 9001: Quality management system certified
- Annual recertification and continuous monitoring
Australian Data Residency
Your health data is stored in the AWS Sydney region (ap-southeast-2), ensuring it remains subject to Australian privacy laws.
- Data never leaves Australian jurisdiction
- Compliant with Australian Privacy Principles
- Subject to Australian data protection regulations
Isolated Data Storage
Each user's data is logically separated and access-controlled to prevent unauthorized access.
- User data partitioned by unique identifiers
- IAM policies restrict cross-user access
- API gateway authentication on all endpoints
Automated Backups
Your data is automatically backed up to ensure it's never lost.
- Daily automated backups
- Point-in-time recovery available
- Backups encrypted with same AES-256 standard
- Disaster recovery procedures in place
Privacy Commitment
No Data Selling - Ever
We will never sell, share, or monetize your personal health information. Your data exists solely to serve you.
- No advertising partners
- No data brokers
- No third-party analytics on health data
- Business model: donations, not data
Delete Your Data Anytime
You have complete control. Delete your account and all associated data at any time with immediate effect.
- One-click account deletion
- All records permanently removed
- Backups purged within 90 days
- No hidden data retention
Minimal Data Collection
We only collect what's necessary to provide the service. No tracking, no profiling.
- Email address for account only
- Blood test results you upload
- No location tracking
- No device fingerprinting
Compliance Standards
Service Organization Control
Built on AWS infrastructure with SOC 2 Type II certification for security, availability, and confidentiality.
Information Security Management
AWS infrastructure certified to ISO 27001 international standard for information security management.
Quality Management System
AWS infrastructure certified to ISO 9001 for quality management and continuous improvement.
General Data Protection Regulation
EU data protection regulation. We support right to access, right to erasure, and data portability.
Health Insurance Portability and Accountability Act
US healthcare data standard. Our practices align with HIPAA requirements for protecting health information.
Privacy Act 1988 (Cth)
Australian privacy legislation. We comply with all 13 Australian Privacy Principles (APPs).
Incident Response
In the unlikely event of a security incident affecting your data:
< 72 hours
You will be notified via email
Immediately
Affected systems isolated and secured
Ongoing
Clear guidance on recommended actions
As required
Authorities notified per legal obligations
Security FAQs
How is my blood test data encrypted?
How is my blood test data encrypted?
Your data is encrypted twice: once in transit using TLS 1.3 as it travels to our servers, and again at rest using AES-256 encryption when stored. This means even if someone intercepted your data or accessed our storage directly, they couldn't read it without the encryption keys, which are managed by AWS Key Management Service.
Who can access my health data?
Who can access my health data?
Only you can access your health data through your authenticated account. Our systems use automated AI processing - no humans review your blood test results. Our engineering team has access to infrastructure for maintenance purposes, but cannot view individual user data due to encryption and access controls.
Can I download or export my data?
Can I download or export my data?
Yes. You can download all your blood test results and analysis data at any time through your dashboard. This supports your right to data portability under GDPR and similar regulations.
What happens if there's a data breach?
What happens if there's a data breach?
In the unlikely event of a data breach, we will notify affected users within 72 hours as required by GDPR. We'll explain what happened, what data was affected, and what steps you should take. We also report breaches to relevant authorities as legally required.
How long do you keep my data?
How long do you keep my data?
Your data is retained while your account is active. If you delete your account, your data is immediately removed from our active systems. Backups are purged within 90 days. System logs (which don't contain health data) are retained for up to 12 months for security monitoring.
Is SmarterBlood HIPAA certified?
Is SmarterBlood HIPAA certified?
HIPAA doesn't have a formal certification process. However, our practices are aligned with HIPAA requirements. We use AWS services that are HIPAA-eligible, encrypt all health data, and implement access controls consistent with HIPAA's Security Rule.
Do you use cookies to track me?
Do you use cookies to track me?
We use only essential cookies required for the website to function (session management, authentication). We don't use tracking cookies, advertising cookies, or third-party analytics cookies on pages where you're logged in.
Can I use SmarterBlood if I'm in the EU?
Can I use SmarterBlood if I'm in the EU?
Yes. We comply with GDPR requirements including lawful basis for processing (your consent), right to access, right to erasure, and data portability. Your data is processed in Australia, with appropriate safeguards in place for international data transfers.
Questions About Security?
If you have any questions about our security practices or want to report a security concern, we're here to help.
Last Updated: January 2026 | Version 1.0