Patient data protection drives every architectural decision at GlucoWorks.
GlucoWorks executes a Business Associate Agreement with every customer before any PHI is processed. All data is encrypted, access is role-controlled, and every access event is logged.
TLS 1.3 in transit. AES-256 at rest. KMS-managed keys in production.
MFA (TOTP), role-based access control, session timeout, account lockout.
Every PHI access logged with user, IP, resource, timestamp. Immutable 7-year retention.
Soft deletes with audit trails. Note versioning. Foreign key constraints.
15-min timeout in production. Session regeneration on login. Max 3 concurrent sessions.
Automated detection of suspicious access patterns. Real-time alerting for critical events.
All GlucoWorks products that handle PHI are deployed on Google Cloud Platform under a single Business Associate Agreement.
| Service | Purpose | Coverage |
|---|---|---|
| Google Cloud Run | Application hosting (compute) | Google Cloud BAA |
| Cloud SQL (PostgreSQL) | Patient records, clinical notes, audit logs | BAA + AES-256 at rest |
| Cloud Storage | PDF document storage | BAA + encryption at rest |
| Secret Manager | API keys, credentials | BAA + KMS-backed |
| Vertex AI (Gemini) | Vision-based PDF extraction | Google Cloud BAA |
| Cloud Audit Logs | Immutable compliance audit trail | BAA + 7-year retention |
GlucoWorks LLC executes BAAs with covered entity customers before any PHI is processed. Our standard BAA template is available upon request.
Request BAA TemplateIf you discover a security vulnerability in any GlucoWorks product, please contact our security team immediately.
security@gluco-works.com