Security and Compliance


Oystehr is built with security and compliance as our top priority. Oystehr systems are architected against breach or loss, malicious or accidental. Like the clinical organizations we serve, "first, do no harm" is baked into our culture. We view everything we do from the perspective of securing our systems and data, whether technical or operational.

Data Storage

Oystehr stores data in multiple isolated, HIPAA-compliant environments. In multi-tenant environments, customer data is logically separated at each level of the network, application, and data stacks, providing multiple fail-safe mechanisms. In addition to organization-level segmentation, Oystehr provides a robust, customizable access-policy implementation allowing organizations to further restrict access to data according to organizational needs.


Oystehr protects three types of persistent data at rest: discrete files, logs, and database instances. All logs, discrete files stored on the Oystehr platform, and database instances are encrypted at rest with the AES-256 encryption algorithm. Data in transit is encrypted with SSL using TLS 1.2+.


Oystehr services sit behind a modern Web Application Firewall (WAF). Web Hosting and network API services are scalable and resilient, with automated protection against denial of service and bot attacks. All inbound traffic communicating with Oystehr must use HTTPS, with a minimum of TLS version 1.2. Insecure HTTP traffic is upgraded to HTTPS or discarded.


Oystehr's infrastructure is serverless (opens in a new tab), highly available, and fault-tolerant. This means there are no servers to manage, no operating systems to patch, and that there is no software to install to ensure a secure compute environment. Services scale automatically to meet demand, and recover from failures without any human intervention. In the event of unexpected downtime services will automatically migrate to other availability zones to ensure continuity of service.

Application Security

Linters, static code analysis, unit tests, integration tests, end-to-end tests, and manual code reviews ensure code quality. cdk-nag (opens in a new tab) helps enforce compliance with cloud benchmarks provided by the Center for Internet Security by automatically flagging and preventing deployment of noncompliant resources. Oystehr performs both internal and external security auditing and testing including independent third-party penetration testing and vulnerability scanning.

Oystehr's Security Toolkit

Oystehr uses Security Hub to maintain a centralized view of Oystehr's security posture at all times across multiple dependent services. This 'single pane of glass' monitors compliance against CIS Benchmarks v1.2.0, as well as validating the security posture of cloud asset and account configurations. AWS Guard Duty intelligently monitors external threats, and CloudWatch alarms alert Oystehr teams of any infrastructure, security, and compliance issues.

Required Training

All employees must complete comprehensive security awareness training and review our internal policy documents annually.

Contact Info

Please contact us with any security related concerns or question at [email protected]