Data Protection
Atticus Health protects patient and organizational data through encryption at every layer, backup and recovery procedures, defined retention policies, and a documented breach response plan.
Encryption
At Rest
All data at rest is encrypted with AES-256, including:
- Databases — Cloud-managed encryption with support for customer-managed keys
- File storage — All uploaded documents and attachments encrypted at the storage layer
- Caches — In-memory data stores encrypted with TLS enforcement
- Backups — All backups are encrypted; no unencrypted copies exist at any point
In Transit
- External traffic — TLS 1.3 enforced at the edge with HSTS (HTTP Strict Transport Security)
- Internal traffic — mTLS (mutual TLS) between all services
- Database connections — TLS required with certificate verification
Backup & Recovery
| Aspect | Policy |
|---|---|
| Recovery model | Continuous with point-in-time recovery up to 35 days |
| Backup frequency | Full daily, incremental continuous |
| Geo-redundancy | Backups replicated to a secondary cloud region |
| Recovery testing | Quarterly recovery drills with documented results |
| RTO | < 4 hours |
| RPO | < 1 hour |
Retention Policies
| Data Type | Retention Period | Basis |
|---|---|---|
| Clinical records | 7 years minimum | HIPAA and state medical record retention laws |
| Audit logs | 7 years | Compliance and forensic requirements |
| Session data | 30 days | Operational; automatically purged |
| Application logs | 90 days | Troubleshooting; automatically rotated |
Data Classification
All data is classified and handled according to its sensitivity:
- PHI (Protected Health Information) / PII (Personally Identifiable Information) — Encrypted at rest and in transit, access-controlled, fully audit-logged
- Operational data — Standard encryption, role-based access
- Public data — No additional controls required
Breach Response
Atticus Health maintains a documented incident response plan with five phases:
- Detection — Automated alerting from monitoring and cloud security services
- Containment — Isolate affected systems, revoke compromised credentials, preserve evidence
- Notification — Affected parties and regulators notified within 24 hours of a confirmed breach (exceeds HIPAA's 60-day requirement)
- Remediation — Root cause analysis, patching, and control strengthening
- Post-incident review — Documented lessons learned, updated playbooks, and stakeholder communication