🔒

Infrastructure Security & Data Privacy

Comprehensive overview of our security architecture and data handling practices

What This Means for You

The Simple Version For Healthcare Professionals

  • Your conversations are private: When you ask Aiskyra a question, we don't save your clinical notes, patient details, or any health information outside of your secure conversation history.
  • Conversation history is secure: Your conversation history is stored in Google Cloud SQL servers located in Toronto, Canada with full healthcare compliance (BAA, HIPAA, PHIPA).
  • Canadian data stays in Canada: All your data (conversations, account info) stays on Canadian servers with strict privacy protections.
  • We follow the rules: The partners that handle your data have signed the proper legal agreements required for handling healthcare data.
  • Your data isn't sold: We don't sell your information to anyone, ever. This tool exists to help healthcare professionals, not to make money from your data.

Infrastructure Security & Reliability

Fly.io Current Hosting

  • Ephemeral compute only—no persistent storage of user data or PHI.
  • End-to-end TLS, automated OS/patch updates, network-level DDoS protection.
  • Security Documentation: Fly.io Security

Supabase (Canada) Non-PHI Storage

  • Stores only non-PHI data (e.g. residency flags, account profiles).
  • AES-256 at rest, hosted in Canadian regions on AWS infrastructure.
  • Security Documentation: Supabase Security | AWS Security

Google Cloud SQL (Toronto) Conversation History

  • Conversation History Storage: All conversation history is securely stored using Google Cloud SQL with servers hosted in Toronto, Canada.
  • Business Associate Agreement: Operating under a signed BAA (Business Associate Agreement) ensuring HIPAA and PHIPA compliance.
  • Secure Connections: All database connections use SSL/TLS encryption with Google Cloud Connector for secure communication.
  • Audit Logging: Comprehensive audit logging tracks all database access and modifications for security monitoring.
  • Encryption: Data encrypted both at rest and in transit using:
    • At Rest: AES-256 encryption with Google Cloud KMS–backed keys
    • In Transit: TLS 1.3 with perfect forward secrecy
    • Key Management: Google Cloud KMS with envelope encryption
    • Hardware Security: Keys protected by FIPS 140-2 Level 3 Hardware Security Modules (HSMs)
  • Regional Compliance: Canadian data residency with strict IAM controls and VPC isolation.
  • Security Documentation: Google Cloud Security | GCP HIPAA Compliance

Data Security & Privacy

End-to-End Security Active Protection

  • End-to-end encryption for all user interactions ensures your data is protected from the moment it leaves your device until it reaches our secure servers.
  • All communications use TLS 1.3+ encryption protocols with perfect forward secrecy.
  • Client-side encryption keys are never stored on our servers, maintaining complete privacy of your interactions.

Current State Active

  • Conversation History: Your conversation history is securely stored in Google Cloud SQL hosted in Toronto, Canada with full BAA compliance.
  • No clinical notes or patient identifiers are saved in Aiskyra's systems outside of your secure conversation history.
  • Regional Data Residency: All data stored on Canadian-based secure servers (Google Cloud SQL Toronto, Supabase/AWS Canada).
  • Third-Party Security: OpenAI Security | OpenAI BAA Information

Data Collection & Usage Current Practice

  • Anonymized Logging: Limited to what time a question is asked for quality assurance and platform improvements.
  • Privacy Protection: User activity is not sold or shared with third parties.
  • Platform Purpose: Created for professional education and support.
  • Data Limitation: Only anonymized usage metrics collected to inform tool refinement.

Conversation History Security Current Implementation

  • Google Cloud SQL Implementation: Conversation history is stored in Google Cloud databases specifically designed for healthcare data with all legal protections required by Canadian and US health privacy laws.
  • Canadian Data Residency: All conversation data stays in Canada (Toronto servers) to follow provincial privacy laws and PHIPA requirements.
  • Healthcare Compliance: Full BAA coverage ensures HIPAA and PHIPA compliance for all stored conversation data.

Non-PHI Data Safeguards Supabase Encryption

  • In Transit: TLS 1.2+ with SHA256 certificates (Supabase connections)
  • At Rest: AES-256 encryption via Supabase on AWS infrastructure for account profiles, residency flags, and other non-PHI data
  • BAAs in Place: All third-party vendors operate under signed Business Associate Agreements
  • Data Separation: Non-PHI data (Supabase) is completely separate from conversation history (Google Cloud SQL)

Security Measures

Current Security Practices Active

  • Regular security vulnerability assessments
  • Annual security training for all team members
  • Continuous monitoring of infrastructure security

Contact & Disclosure

Security Contact

  • Security concerns can be reported to: hello@aiskyra.com
  • We take all security vulnerability reports seriously and respond promptly to verified issues