Security safeguards

A patient data platform you can have confidence in

Keeping patient health information secure from end-to-end

Ensure the security of your data connections

Minimize your management of risk strategies and exposure. Redox is hosted on Amazon Web Services (AWS) with a business associate agreement (BAA) in place with Amazon.

  • Databases are 256 bit AES encrypted. Database filesystems are encrypted using AWS managed keys. Encrypted backups are taken nightly and stored in a separate geographic location.
  • Code changes are deployed without any interruption to your traffic as application code runs in Docker containers in the app layer.
  • Applications and databases are redundant across AWS Availability Zones (AZs), so if an outage occurs in one AZ, we failover with minimal interruption to traffic.

You can depend on constant vigilance of data security

Enable health information exchange in a safe and compliant manner without compromising data flow consistency. Redox exceeds industry, HIPAA-compliant, and National Institute of Standards and Technology (NIST) recommended encryption standards to protect your data.

  • Application containers and the Redox database reside in a private subnet, inaccessible from the outside internet. Access is restricted to the application and bastion layers.
  • The Redox API scales to balance traffic across available application instances. Our endpoints receive automatic security updates, and we force HTTPS at the endpoint layer.


SOC2 is an industry-standard, technology service provider report verifying compliance and controls pertaining to Security and Availability. “Type 2” indicates that this is a multi-month, over-time evaluation period for compliance.

Redox is HITRUST certified

The gold standard in health data security. Redox is HITRUST certified and meets the same high standards that the most secure organizations in the world have to meet.

Third-party audits

Redox contracts a number of independent auditing:

We undergo multiple third-party penetration tests yearly, including manual penetration testing on our application as well as internal and external network penetration testing for our infrastructure to identify potential system vulnerabilities. This ensures any security issues are resolved before they have a chance to arise and that data is properly guarded. Code audits are performed regularly to scan our code base and find and address any security vulnerabilities. Intrusion detection is used to monitor all system-level events and escalate any incongruent activity, like a user promoting their privileges or modifying files.

Application connectivity

Between an application and Redox, end-to-end encryption is done to secure all data transmitted over an HTTPS connection. Within the Redox application, we support modern industry OAuth and SAML standards to authenticate applications that send to Redox and to authenticate with applications that receive information from Redox.

We store sensitive credentials as salted and hashed values for an additional layer of security. Redox supports Two-Factor Authentication for all users accessing the Redox Engine Dashboard, and requires it for all personnel with customer support responsibilities to further protect access to PHI.

VPN security

TCP traffic from Health Systems is encrypted via a secure VPN connection. We use an IPsec protocol to ensure all traffic within the VPN is encrypted and authenticated. The VPN is consistently monitored with a heartbeat to ensure the connection remains healthy.

Operational security

Redox staff must comply with Redox’s acceptable-use policy prior to gaining access to any protected systems or data. This includes using strong passwords, encrypting their device, enabling multi-factor authentication on all applicable systems, undergoing security training appropriate to their role, running anti-malware endpoint protection, and running Redox’s device provisioning application.

Learn more about Redox security

Business continuity and issue management

Redox maintains detailed processes in the event of a downtime, ranging from a simple container failure to large-scale regional failure of our AWS host. These scenarios are reviewed and tested regularly for accuracy and training.

Redox also maintains a structured process for identifying, escalating, and responding to security incidents. This process includes guidelines for ensuring containment of at-risk data, controls for system stability and performance, and a notification process if customers are affected.

Want to know more about Redox’s security measures or technology?