Enterprise-grade infrastructure for a synthetic data sandbox — because your customers' security reviews are not synthetic.
Hosted on Google Cloud in us-central1. Postgres behind a VPC with private IPs only. HAPI FHIR server protected by Cloud Run IAM. API tier on Cloud Run with scale-to-zero. Redis for rate limiting and caching. All inter-service traffic stays inside the VPC.
AES-256 at rest on all storage. TLS 1.3 in transit, enforced with HSTS. Auth0 for user authentication with custom domain. OAuth2 + PKCE for SMART on FHIR app launches. Bearer-token API keys for server-to-server access, rotatable at any time.
SOC 2 aligned engineering practices. No PHI ever enters the system — all data is synthetic, generated from Synthea and a Markov module trained on de-identified journey data. Secrets managed through GCP Secret Manager. Audit logs retained. Sentry for error observability.
Questions for your security review? Book a call or read the privacy policy.