Security & Privacy

Last updated: May 27, 2026

Ada is a personal health record app. Everything we build is in service of one promise: that the information you trust us with stays protected, stays yours, and is used only for the purposes you authorize. This page summarizes how we protect that information, the technical safeguards in place, and how healthcare organizations, security researchers, and patients can reach our security team.

The short version

1. Data minimization

We collect only what's needed to deliver the Service: account information (name, email, date of birth), records you upload or import at your direction, and limited device/usage telemetry. We do not collect precise GPS location, advertising identifiers, or social-graph data. We do not sell information that identifies you, and we do not use your identifiable health information for advertising. (See Privacy Policy.)

2. Encryption

In transit

• TLS 1.2 minimum (TLS 1.3 preferred) for all API and browser traffic.
• Strict-Transport-Security with preload eligibility on meetmyada.com and api.meetmyada.com.
• HTTPS-only redirects on all public endpoints.

At rest

• AES-256 disk encryption on all production database volumes (managed via AWS).
• Field-level encryption on titles and raw FHIR payloads of medical records (title_encrypted, raw_data_encrypted columns).
• Encrypted backups, separately managed.

Key management

• JWT signing keys (for SMART-on-FHIR client authentication with EHR partners) generated as 2048-bit RSA, stored with restricted filesystem permissions on the production host, never committed to source control.
• Public key (JWK) is available on request to integration partners. Key rotation policy: 12 months or sooner on suspected compromise.

3. Authentication & access

End-user authentication

• Email + password with bcrypt hashing (work factor 12).
• One-time OTP codes for password resets, expiring after 10 minutes.
• Session tokens issued via Laravel Sanctum, scoped per-device, revocable from a Sessions screen in-app.
• Apple App Attest binds API requests to a specific genuine Ada iOS install. Attestation challenges are single-use and server-validated.

EHR integrations

• SMART-on-FHIR with PKCE for patient-facing authorization to MyChart / Epic.
• Production client ID registered with Epic. Where required by a covered entity, we authenticate as a confidential client using JWT assertions signed by our private key — the public JWK is shared with the entity in advance.
• OAuth state and PKCE verifiers are server-cached for ≤10 minutes and consumed exactly once.
• Refresh tokens, when issued, are encrypted at rest and only used to refresh access on behalf of the originating user.

Administrative access

• No direct SSH to production hosts. All admin access goes through AWS Systems Manager Session Manager, which logs commands and session metadata.
• Production access is principle-of-least-privilege, JIT-style: justified, time-bounded, and audited.
• Personnel handling production sign confidentiality / privacy training annually.

4. Audit logging & monitoring

• Application audit log. Every read or write to a medical record is logged with actor (user or system), action, resource ID, IP, user agent, and timestamp. The audit_logs table is append-only and retained per HIPAA Security Rule guidance (6 years).
• Infrastructure logs. AWS CloudTrail captures all infrastructure-level API calls. SSM session logs are retained.
• Anomaly detection. We monitor for unusual access patterns (off-hours bulk reads, geographic anomalies, repeated auth failures) and alert on suspicious activity.

5. AI processing

Ada uses Anthropic's Claude as a sub-processor for record summarization and conversational features. Inputs and outputs are processed under Anthropic's Commercial Terms of Service, which restrict use of customer data to delivering the service (no training on customer data). We retain only the minimum necessary AI conversation history to deliver continuity for the user, and that history is encrypted at rest. Patients may opt out of AI features per record. See Privacy Policy §7 for the full AI processing disclosure.

6. Subprocessors

We use a minimal set of vendors. Current production subprocessors handling identifiable information:

• Amazon Web Services (AWS) — cloud hosting (US-East-1), HIPAA BAA in place. Hosts API, database, file storage.
• Anthropic, PBC — AI processing for record summaries and chat. Commercial Terms with confidentiality and no-training obligations.
• Cloudflare — CDN and DDoS protection for the marketing site (meetmyada.com). Does not see API traffic.

We will notify customers and update this page before introducing a new subprocessor that handles identifiable health information.

7. Breach response

• If we detect unauthorized access to identifiable health information, we follow a documented incident-response plan: contain, assess, notify.
• Affected users are notified within 60 days of discovery (HIPAA Breach Notification Rule timing; we typically notify faster).
• We notify the FTC under the Health Breach Notification Rule for breaches of unsecured identifiable health information.
• For breaches affecting protected health information of a covered entity's patients, we notify the covered entity per the terms of our Business Associate Agreement.

8. Patient rights & deletion

• Account deletion is available in-app and via [email protected]. We delete identifiable health information within 30 days, except where retention is required by law (limited audit metadata) or where information has been de-identified.
• Patients can disconnect any MyChart / EHR connection at any time. On disconnect, refresh tokens are invalidated and no further data is pulled. Already-pulled records remain in the patient's Ada library until the patient deletes them or their account.
• Patients can request a full export of their data in a portable format.

9. Compliance posture

• HIPAA Security Rule — we apply HIPAA-aligned administrative, physical, and technical safeguards to PHI. We sign BAAs with covered entities and with subprocessors that handle PHI.
• FTC Health Breach Notification Rule — applies to Ada as a personal health record vendor; we comply with the breach-notification requirements.
• State privacy laws — CCPA/CPRA, Washington My Health My Data, Virginia/Colorado/Connecticut/Utah/Texas/Oregon/Montana CDPA-family laws, Georgia data-breach statute. See Privacy Policy §5.
• EHR partner standards — Ada is registered on the Epic App Marketplace. Production Client ID and audited scope set available on request.

10. Responsible disclosure

If you believe you have found a vulnerability in Ada, please email [email protected]. We commit to:

• Acknowledge your report within 3 business days.
• Triage and provide a status update within 10 business days.
• Not pursue legal action against good-faith researchers who follow this policy, do not exfiltrate or modify patient data, and give us reasonable time to remediate before publishing.

We are working on a formal bug-bounty program; in the meantime we can offer acknowledgment and, where appropriate, a thank-you payment.