Security & Privacy

How MAHA Healer protects your family's health data.

MAHA Healer is built to handle sensitive medical information with the care it deserves. We follow industry best practices for data security, and our architecture is designed with privacy as a core principle — not an afterthought.

Encryption Everywhere

  • In transit: All connections are encrypted with TLS 1.3 via automatically provisioned Let's Encrypt certificates. Your data is never sent in the clear.
  • At rest: Sensitive fields such as API credentials are encrypted using Rails Active Record Encryption before being stored in the database.
  • Infrastructure: Our servers run on encrypted volumes with strict firewall rules that limit access to only the ports necessary for operation.

Access Control & Authentication

  • Multi-factor authentication: TOTP-based two-factor authentication is available for all accounts, adding a second layer of protection beyond your password.
  • Tenant isolation: Each family's data is strictly isolated at the database level. There is no shared access between organizations — your data is yours alone.
  • Role-based access: Account owners control who can access their family's health records.

Audit Logging

  • Change tracking: All modifications to health records are logged with full version history using Paper Trail audit logging. Nothing is silently changed or deleted.
  • Access logs: Sign-in activity is tracked, including timestamps and IP addresses, so you can see when and where your account was accessed.

AI & Data Processing

  • Your API keys: Each family brings their own Anthropic and OpenAI API keys. Your medical documents are sent directly from our servers to the AI provider under your account — we never use a shared key.
  • No training on your data: Both Anthropic and OpenAI's API terms state that data sent via their APIs is not used to train their models.
  • Minimal data sharing: Only the specific document being parsed is sent to the AI. We do not send your full medical history, account details, or other personal information.

Infrastructure Security

  • Cloud hosting: MAHA Healer runs on DigitalOcean infrastructure in the United States, with automated daily database backups.
  • Network security: Cloud firewalls restrict inbound traffic to only HTTPS (port 443) and SSH for deployment. The database is not accessible from the public internet.
  • Automated deployments: Code changes go through automated security scanning (Brakeman, Bundler-audit), linting, and a full test suite before deployment.

A Note on HIPAA

MAHA Healer is designed with HIPAA's technical safeguards in mind — including encryption, access controls, audit logging, and data isolation. We are actively working toward full HIPAA compliance, which includes signing Business Associate Agreements (BAAs) with our infrastructure providers.

If you are a healthcare provider or covered entity with specific compliance requirements, please contact us to discuss your needs.

Questions about our security practices? Get in touch

Sign In · Create Account