Security overview
Ody Health implements a comprehensive security program designed to protect personal information and protected health information (“PHI”) from unauthorized access, loss, misuse, alteration, and disclosure. Our security safeguards include administrative, technical, and physical controls aligned with the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule, industry standards, and applicable regulations.
This policy describes the technical and organizational safeguards we maintain to protect information processed on the Ody Health platform. Security is a shared responsibility. We encourage users to maintain the confidentiality of account credentials, monitor account activity, and report suspected unauthorized access promptly.
Encryption in transit
All data transmitted between your device and Ody Health servers is encrypted using Transport Layer Security (“TLS”) 1.2 or higher. TLS encryption protects the confidentiality and integrity of data as it travels across the internet.
Ody Health operates on Fly.io, a managed hosting platform that provides edge-level TLS termination, certificate management, and renewal through Let’s Encrypt. HTTPS is required for all connections to odyhealth.co, api.odyhealth.co, and app.odyhealth.co. Unencrypted HTTP connections are automatically redirected to HTTPS.
Session cookies are protected with the Secure flag (transmitted only over HTTPS), HttpOnly flag (not accessible to client-side scripts), and SameSite=Lax attribute (mitigating cross-site request forgery attacks) in production environments.
Encryption at rest
Sensitive personal and health information is encrypted at the application layer before being written to the database. Ody Health uses authenticated encryption with XSalsa20-Poly1305 (implemented via libsodium’s crypto_secretbox function), an authenticated encryption with associated data (“AEAD”) cipher. This approach combines a stream cipher (XSalsa20) with message authentication (Poly1305) to provide both confidentiality and integrity protection.
Encrypted fields include personal identifiers (name, phone, date of birth, address), clinical intake responses, laboratory results, clinical assessments, and clinical notes. Each encrypted value is stored with a unique 24-byte nonce and tagged with a key version to support future key rotation. The master encryption key is managed securely and is distinct from database credentials.
In addition to application-layer encryption, Ody Health’s database infrastructure—Fly.io Managed Postgres—provides disk-level encryption at rest. This layered encryption approach ensures that even in the unlikely event of unauthorized physical access to storage media, data remains protected.
Ody Health maintains a key rotation plan and will migrate encryption keys to a centralized key management service as part of ongoing security hardening. Key rotation and key management procedures are documented and regularly reviewed.
Access controls and authentication
Ody Health implements role-based access control (“RBAC”) to ensure that users can access only the information and functions necessary for their role. Patient users are authenticated via passwordless magic links—single-use, time-limited tokens (15-minute TTL) sent to registered email addresses via Resend—eliminating the security risks associated with password storage and reuse.
Upon successful authentication, users receive a session token (JSON Web Token) that grants access only to their own records. All requests are validated to ensure the authenticated user can only read, modify, or delete data belonging to that user. Access to clinical staff, administrative, and system functions is controlled through RBAC with appropriate authentication and authorization checks.
Staff and administrative access to systems is protected by multi-factor authentication (“MFA”) and requires strong authentication credentials. Administrative accounts follow the principle of least privilege, with access limited to the minimum permissions necessary to perform assigned duties.
Session tokens are rotated periodically, and reuse of expired or revoked tokens is detected and prevented. Session termination occurs upon logout, password/credential change, or after extended inactivity, requiring re-authentication to continue using the platform.
Audit logging and monitoring
Ody Health maintains a comprehensive, append-only audit log that captures all significant security and operational events. The audit log records the actor (user, system, or administrator), the action performed, the target of the action, relevant timestamps, IP address, user agent, and before-and-after states of modified data where applicable.
Logged events include authentication and session management activities, access to or modification of personal or health information, clinical recommendations and assessments, administrative actions, and security-relevant events. The audit log is tamper-evident and is designed to support forensic investigation and compliance verification.
Operational logs are transmitted to Axiom, a secure log management platform, where they are retained and available for review, analysis, and investigation. Logs are structured to facilitate searching and alerting while protecting sensitive information—encryption keys, authentication secrets, and protected health information are never logged.
Audit logs are retained for a minimum of six years in accordance with 45 CFR § 164.530(j) to support HIPAA compliance, legal discovery, and security investigations. Logs are reviewed on a regular basis to identify suspicious activity, unauthorized access attempts, or other security concerns.
Patients may request to review recent entries in their audit history through the application, providing transparency into who has accessed their information and when.
Data retention and secure deletion
Ody Health retains personal information and health information for as long as reasonably necessary to provide the platform, maintain your account, support clinical coordination, comply with legal and regulatory obligations, resolve disputes, prevent fraud, enforce agreements, and maintain business and clinical records as required by law.
When a user requests deletion of their account or data, or when Ody Health determines that information is no longer necessary for the purposes for which it was collected, information is securely deleted in accordance with NIST guidelines for media sanitization. Deletion occurs within 60 days of the request or determination, unless longer retention is required by law, regulation, or a legal hold.
Secure deletion involves cryptographic erasure or overwriting of data to ensure it cannot be recovered. Deletion is logged for audit and compliance purposes. Clinical records, prescription records, laboratory records, payment records, and related records maintained by independent providers, pharmacies, laboratories, and other third parties are retained and deleted according to those entities’ own legal and professional obligations, which may exceed Ody Health’s retention periods.
Audit logs and forensic records may be retained longer than the associated user data if required to support ongoing investigations, legal proceedings, or regulatory obligations.
Third-party vendor security and service providers
Ody Health works with service providers and vendors that support the operation of the platform, including cloud infrastructure providers, payment processors, email service providers, job queue systems, log management platforms, and clinical and pharmacy partners. All service providers that process personal information or PHI are required to maintain security safeguards appropriate to the nature of the information they handle.
Service providers that handle PHI on behalf of Ody Health or on behalf of covered health care entities are subject to Business Associate Agreements (“BAAs”) that impose HIPAA Security Rule obligations. Ody Health has executed or is in the process of executing BAAs with all vendors that process PHI, including but not limited to Fly.io (infrastructure), Stripe (payment processing), Resend (email services), and clinical and pharmacy partners.
All service providers are vetted prior to engagement through security questionnaires, review of available security certifications (such as SOC 2 Type II or ISO 27001), and evaluation of contractual security commitments. Ody Health periodically reviews vendor security postures and audit reports to ensure ongoing compliance with security standards.
For the Anthropic Claude recommendation engine, Ody Health implements HIPAA Safe Harbor de-identification standards (45 CFR § 164.514(b)(2)) before transmitting information. Only de-identified information—such as age, sex, clinical measurements, symptoms selected from structured lists, and medication names—is sent to Claude. Personal identifiers (name, address, contact information, payment details) are never transmitted. Because the information is de-identified under HIPAA Safe Harbor, a BAA is not required for this vendor.
Service provider agreements include provisions requiring vendors to maintain administrative, physical, and technical safeguards, implement appropriate access controls, maintain audit logs, notify Ody Health of security incidents, and allow Ody Health to audit compliance as permitted by law.
Identifier guard and de-identification protections
Ody Health implements a defense-in-depth identifier guard system that detects and prevents the transmission of personally identifiable information to external systems (such as AI recommendation engines) where such transmission is not authorized or necessary.
Before any information is transmitted to third-party services, the platform performs pattern matching against known identifier formats (names, full dates of birth, email addresses, phone numbers, medical record numbers, and similar sensitive identifiers). Any detected identifiers are redacted or the transmission is blocked, and the event is logged for security review.
This guard ensures that even if a developer or system misconfiguration attempts to send unredacted PHI to an external service, the guard provides a technical enforcement point that prevents unauthorized disclosure. The guard is tested regularly and is part of Ody Health’s secure development lifecycle.
Incident response and breach notification
Ody Health maintains a documented Incident Response Plan that establishes procedures for detecting, responding to, investigating, and reporting security incidents, including unauthorized access, data breaches, system compromises, and other security events.
Upon discovery of a security incident, Ody Health initiates an immediate investigation to determine the nature, scope, and impact of the incident. Investigation procedures include preservation of audit logs and forensic evidence, analysis of system logs and access patterns, assessment of the information involved, and coordination with relevant parties (affected users, independent providers, law enforcement, or regulators as appropriate).
For incidents involving unauthorized access to or disclosure of unsecured PHI, Ody Health provides notification to affected individuals in accordance with HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) and applicable state and federal privacy laws. Notification occurs without unreasonable delay and no later than 60 calendar days after discovery of the breach.
Breach notification communications include a clear description of the incident, information about what PHI was involved, steps affected individuals should take to protect themselves, and information about Ody Health’s investigation and remediation efforts. Notifications are sent to the affected individual’s registered email address or mailing address.
Ody Health also notifies the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) as required by law if a breach affects more than 500 residents of a state or territory. Notification to OCR occurs without unreasonable delay and includes a summary of the breach and remediation efforts.
Ody Health maintains documentation of all security incidents, including the date, nature, scope, remediation actions, and outcomes. This documentation supports root-cause analysis, continuous improvement of security controls, and compliance verification.
Vulnerability management and patching
Ody Health maintains a vulnerability management program that includes identification, assessment, and remediation of security vulnerabilities in its systems, applications, and dependencies.
Application and system dependencies are regularly reviewed for known vulnerabilities. Security updates and patches are applied to systems and software in a timely manner based on the severity of the vulnerability and the criticality of the affected system. Critical security vulnerabilities are addressed within 30 days; high-severity vulnerabilities are addressed within 60 days; and other vulnerabilities are addressed as part of regular maintenance cycles.
Ody Health conducts periodic security assessments, including code reviews, vulnerability scanning, and security testing, to identify potential weaknesses. The results of these assessments are used to prioritize remediation efforts and improve the security posture of the platform.
Third-party security research is welcomed through a responsible disclosure process. Security researchers can report potential vulnerabilities to security@odyhealth.co, and Ody Health commits to acknowledging reports within 48 hours and providing regular updates on remediation progress.
Secure development practices
Ody Health follows secure development practices throughout the software development lifecycle. Development guidelines include secure coding practices, input validation, output encoding, parameterized queries to prevent injection attacks, and secure handling of secrets and credentials.
Code changes are reviewed before deployment to production, with particular attention to security implications. Secrets (encryption keys, authentication tokens, API credentials) are stored in secure configuration management and are never committed to version control systems or logged.
Infrastructure and deployment processes are documented and controlled. Changes to production systems are tracked, authorized, and logged for audit purposes. Deployment requires appropriate approvals before proceeding to production.
Compliance standards and certifications
Ody Health is designed and operated in accordance with HIPAA Security Rule requirements (45 CFR Parts 160 and 164) to the extent Ody Health is a Business Associate or otherwise obligated to comply with HIPAA. Ody Health implements administrative, physical, and technical safeguards as required by the Security Rule.
Ody Health is committed to obtaining and maintaining recognized security certifications and assessments, such as SOC 2 Type II certification, to demonstrate compliance with security and privacy standards. Certification timelines and security assessment roadmaps are maintained and reviewed regularly.
The platform is designed to support compliance with applicable state and federal privacy laws, including the Health Insurance Portability and Accountability Act, state breach notification laws, and emerging privacy regulations. Additional details about specific privacy rights and requirements are provided in the Privacy Policy and HIPAA Notice of Privacy Practices.
User security responsibilities
While Ody Health implements comprehensive security safeguards, security is a shared responsibility. Users are responsible for maintaining the confidentiality of their account credentials, including email addresses and authentication tokens.
Users should not share their account with others, should log out when using shared or public devices, and should monitor their account for unauthorized activity. If a user suspects their account has been accessed without authorization or if they believe their credentials have been compromised, they should contact Ody Health immediately at security@odyhealth.co or info@odyhealth.co.
Users should access Ody Health only through official channels (odyhealth.co and official applications) and should be cautious of phishing attempts or fraudulent communications that request personal information. Ody Health will never request passwords or sensitive information via email or unsolicited communications.
Security contact
Questions or concerns about data security, encryption, or potential security vulnerabilities may be reported to:
Ody Health
Attn: Security
1309 Coffeen Avenue STE 1200
Sheridan, Wyoming 82801
Email: security@odyhealth.co
For general inquiries, contact info@odyhealth.co.