Security & Data Ownership
Your data belongs to you.
We don't just protect your data — we believe you own it. Leafjourney is built with security by design and patient data sovereignty at its core.
HIPAA Compliance
Full HIPAA compliance with administrative, physical, and technical safeguards. Business Associate Agreements with all infrastructure partners. Regular security audits and risk assessments.
Encryption at Rest & In Transit
All patient data is encrypted at rest using AES-256 encryption. All communications use TLS 1.3. Database connections are encrypted with SSL certificates.
Access Controls
Role-based access control (RBAC) ensures users only see data relevant to their role. Every access is logged in an immutable audit trail. Multi-factor authentication available for all accounts.
Data Ownership
Your health data is yours — not ours, not AWS's, not anyone else's. You can export your complete medical record at any time. We maintain proprietary ownership controls that ensure your data remains yours even when hosted on cloud infrastructure.
How your data flows
From your hands to ours, never out of your control.
You enter data
Encrypted in your browser before it ever leaves your device.
We secure it
Stored at rest with AES-256, accessed only via scoped, audited roles.
You own it
Export, correct, or delete at any time — no friction, no fine print.
Your rights
Patient Data Bill of Rights
Every patient on Leafjourney has these fundamental data rights.
Right to access
View all of your health data at any time through the patient portal. Complete chart access including notes, labs, messages, assessments, and care plans.
Right to export
Download your complete medical record in standard formats (PDF, CCD/CDA). Print any document directly from the portal.
Right to delete
Request deletion of your data at any time. We comply with applicable state and federal data retention requirements, then permanently remove your information.
Right to correct
Request corrections to any inaccurate information in your medical record. Your care team will review and update accordingly.
Right to restrict
Control who can access your data within the platform. Restrict sharing of specific records, notes, or documents.
Right to portability
Transfer your records to another provider seamlessly via HL7 FHIR interoperability standards. Your data moves with you.
Infrastructure
How we keep your data safe
Hosting
Render (US data centers)
Database
PostgreSQL with encrypted connections
Authentication
Bcrypt-hashed passwords, iron-session cookies
API Security
Server-side validation, CSRF protection, rate limiting
Audit Trail
Immutable event log for all sensitive operations
Backups
Daily automated backups with point-in-time recovery
Monitoring
Real-time alerting for suspicious access patterns
Penetration Testing
Annual third-party security assessments