The encryption, access, audit, and incident-response baseline we run today — with our roadmap to formal certification. Designed for procurement, privacy, and information security teams reviewing us as a vendor.
TLS 1.2 or higher on every public endpoint and every internal AWS service hop. Modern cipher suites only.
AES-256 for every database table, object store, and backup. Keys are AWS KMS-managed; rotation handled by AWS.
Standard secure-response headers (HSTS, CSP, X-Frame-Options, Referrer-Policy) being rolled out across every public route.
Amazon Cognito user pools with role-based group membership. Sessions terminate on sign-out and on token expiry.
Cognito-native TOTP MFA being enforced for admin and scheduler roles; available today as opt-in. Mandatory enrolment lands in the next sprint.
Role-based access control: admin, scheduler, doctor, and read-only viewer. AppSync resolver rules scope reads and writes per role; doctors see only their own preferences.
No standing engineer access to production data. Operational access is granted on a recorded ticket and revoked when the ticket closes.
A dedicated AuditLog data model captures actor, action, target type and id, before/after JSON, free-text summary, and timestamp.
Schedule create/publish/delete, manual reassignments, preference saves, role and invite changes are being instrumented to write audit entries on every change. Targeted completion: this quarter.
Audit-log writes will stream to an immutable S3 Object Lock archive so even an admin compromise cannot rewrite history. Build in flight.
On request we will export the full audit trail for any reporting period as CSV or JSON within five business days. Self-serve export will follow tamper-resistant storage.
Canadian customers run in AWS Canada (Central). UK / EU / US / Australia customers run in the matching regional AWS region. No replication outside the chosen jurisdiction.
Application and data layers run inside AWS-managed VPCs. Public traffic terminates at CloudFront; the database has no public network path.
DynamoDB Point-in-Time Recovery enabled — every customer write is restorable to any second within the prior 35 days.
Quarterly tested-restore drill being scheduled into our operational cadence. First drill timed to coincide with the SOC 2 evidence window.
Every change to the main branch goes through pull request, automated typecheck + tests, and human review.
Both runtime and build dependencies are version-locked in package-lock.json across dev and prod environments.
GitHub Dependabot is being enabled across the repo and CI is being configured to fail on high and critical CVEs. We currently triage advisories manually.
No secrets in source control. Runtime secrets sit in AWS-managed environment configuration; rotated on personnel change.
For incidents affecting customer data, the customer (the health information custodian) is notified at the first reasonable opportunity — with the technical detail they need to meet their own PHIPA s. 12.3, Regulation 329/04, PIPEDA breach-of-safeguards, GDPR Article 33, and equivalent obligations.
Every incident gets a written post-mortem shared with the affected customer, including timeline, root cause, customer impact, and remediation.
CloudWatch alarms for authentication failures, error-rate anomalies, and unusual access patterns are being deployed alongside the audit-log work. On-call rotation formalised at SOC 2 Type II.
Third-party services we use to run Rosterly Health. Customers are notified at least 30 days before any addition.
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Application hosting, database, object storage, authentication | Customer-selected (Canada Central / Europe / US / Sydney) |
| Resend | Transactional email (account, invite, schedule notifications) | EU / US — opt-out available for Canadian customers |
| GitHub | Source code hosting and CI / CD | US (no customer data crosses this boundary) |
| Anthropic Claude | Engineering assistance (code review only — no customer data) | US |
Our controls and policies are designed to meet PIPEDA (federal personal information), Ontario's PHIPA (as agent of the health information custodian), Quebec's Law 25, BC's PIPA, Alberta's HIA, UK GDPR / DPA 2018, EU GDPR, the Australian Privacy Act 1988, and HIPAA technical safeguards (under a Business Associate Agreement, where applicable).
We respond to security reports within one business day. Coordinated disclosure is welcome — please give us 90 days before public disclosure for issues affecting customer data.