Privacy, Security, & HIPAA Compliance

We built the Sober Living App on our HIPAA compliant platform.


The three components of a secure cloud software platform.

  1.  Computing Infrastructure

  2.  Application Design

  3.  Best Practices



  • We have implemented the recommendations of National Institute of Standards and Technology (NIST) and Federal Information Processing Standard (FIPS) so our data is encrypted at rest using AES encryption with 256-bit keys.

  • We use the elliptic curve digital signature algorithm (ECDSA) for our digital signatures related to cryptography operations.

  • Transmitted PHI is encrypted using strong TLS (predecessor to SSL) ciphers configured for perfect forward secrecy. Insecure TLS ciphers are disabled per NIST recommendations.

  • Network access to virtual machines is inspected in real time and permanently logged.

  • Network traffic routed within each customer environment travels through an isolated, non-shared subnet.

  • SSH access to application environments is configured per the Center for Internet Security (CIS) benchmark recommendations.

  • Network traffic can be restricted to specific whitelisted IP addresses or VPN connections on a per environment basis.

  • Intrusion attempts are automatically identified and blocked on a per IP address basis for a significant duration of time, mitigating SSH dictionary attacks and other malicious behavior.


  • Our software is hosted on the HIPAA compliant cloud servers of Amazon Web Services.

  • All data stored in the Sober Living app is safe and recoverable, protecting customers against accidental loss or mistakes.

  • Database backups are encrypted and stored in a highly durable storage infrastructure (99.999999999% durability and 99.99% availability).

  • Disk volumes leverage a fault-tolerant, high-availability storage system.

  • Nightly snapshots create a backup of each disk volume.

  • For data integrity purposes, database backups are automatically enabled based on a consistent schedule, sensible rotation, and retention policy.

  • Monthly backups are retained for 6 years by default.


  • Analysis of intrusion detection system data for anomalous activity and system issues

  • Virtual machine filesystems are regularly scanned for file integrity, malware, and rootkits.

  • Audits of firewall rules and IP address whitelists

  • Maintaining base images for Docker containers used in our platform

  • Review of published vulnerabilities and exposures

  • Security patching

Best Practices

  • HIPAA compliance requires a number of best practices to be established and maintained internally at your business.

  • We help you handle that by centralizing your information in the Sober Living App.

User Roles & Permissions 

  • Access control to our system is managed through our user roles.

  • Each employee is assigned a user role when they are added and are governed by permissions.

  • See employees for more information.