GuardianStep is built for the day a probate judge, a hospital ER doctor, and a sibling with the wrong intentions all need to interact with the same record — without compromising any of it. This page describes the controls we have in place to protect the protected persons (the “wards”) and the families who use our platform.
Encryption
In transit: TLS 1.2+ everywhere. HTTPS-only via AWS Certificate Manager and CloudFront. HSTS preload list eligible.
At rest: AES-256 for the underlying database storage. Field-level AES-256-GCM encryption for protected health information (PHI), Medicare OAuth tokens, Plaid access tokens, and other secrets, using a key stored in AWS Secrets Manager and never written to logs.
Backups: Encrypted, point-in-time recovery enabled, retained per HIPAA-aligned schedule.
Passkey / hardware-key MFA available on every account.
Session re-verification required before any PHI is rendered.
Role-based access: Guardian, Co-guardian, Care team, Read-only family member, and Court-appointed reviewer roles, each with explicit permission scopes.
Granular invite system: Time-bounded, scope-limited invites for facility staff, physicians, and attorneys.
Infrastructure
AWS us-east-1, multi-AZ ready. ECS Fargate API behind an Application Load Balancer.
RDS PostgreSQL in a private VPC subnet with no public ingress. All application traffic flows through the load balancer.
CloudFront + S3 + ACM for the static frontend, with an edge function enforcing security headers (CSP, X-Frame-Options, Referrer-Policy).
Secrets: AWS Secrets Manager — no plaintext secrets in code, container images, or environment dumps.
Audit & Monitoring
Immutable audit log on every PHI read, every document download, every credential change, every share link issued, and every member added or removed.
Court-ready exports: the audit log can be filtered to a date range and exported as a signed PDF for fiduciary accounting.
Anomaly alerts: unusual access patterns (off-hours access, geographic mismatch, repeated MFA failures) trigger notifications to the primary guardian.
Application + infrastructure logging with retention aligned to HIPAA §164.316.
Third-Party Data Sources
Replit: hosting provider for the API server and PostgreSQL database. HIPAA Business Associate Agreement is in active execution; until it closes we treat Replit as a covered subprocessor under the AWS BAA umbrella for the underlying compute and storage layer.
OpenAI: embeddings and chat completions for the grounded AI co-pilot. Enterprise Business Associate Agreement plus zero-data-retention rider is in active execution; until both close, the production grounded-AI feature is gated off and only available against the demo ward.
Particle Health: EHR data aggregation. BAA in active execution; the integration is currently sandbox-only and does not pull production patient records.
Plaid: read-only bank/financial connections via OAuth. Access tokens encrypted at the field level. Webhook signatures verified before any state mutation.
CMS Blue Button 2.0: direct OAuth + PKCE connection to Medicare. Tokens encrypted at the field level. Currently running against the CMS sandbox; production credentials require CMS app review.
Twilio: A2P 10DLC-registered messaging with STOP / HELP / START handling. Phone numbers stored encrypted.
CLEAR1: biometric verification — we never store biometric templates ourselves; we receive only a verified-identity assertion.
Stripe: PCI-handled card data never touches our servers; we receive only a customer ID and subscription status.
Resend: transactional email delivery. Recipient email and message body only; no PHI in subject lines.
The full subprocessor list, including DPA / BAA status and renewal dates, is available on request via security@guardianstep.com. We notify customers in advance of any new subprocessor that processes PHI.
HIPAA Posture
BAA in place with our cloud infrastructure provider (AWS); BAAs with Replit (hosting), OpenAI (Enterprise BAA + zero-data-retention rider) and Particle Health (EHR) are in active execution. Until those close, the production grounded-AI feature is gated off and the Particle integration is sandbox-only.
Administrative safeguards: documented access-review cadence, least-privilege defaults, mandatory training for any team member with PHI access.
Physical safeguards: AWS data centers (SOC 2 Type II, ISO 27001).
Technical safeguards: encryption, access controls, audit controls, integrity controls, and transmission security as described above.
Breach notification: documented response plan with named owners and 60-day external notification commitment per §164.404.
Reporting a Vulnerability
Security researchers and good-faith finders are encouraged to report issues. We will not pursue legal action against good-faith research that respects the protected persons whose data we hold.
Please include reproduction steps. We acknowledge within 2 business days.
This page describes our current production posture. We update it whenever a meaningful control changes. For a copy of our security questionnaire, current SOC 2 readiness status, or to request a BAA, email security@guardianstep.com.