Skip to main content

Trust

Security

How recordings and accounts are protected, and what we have not finished yet.

Internal beta: synthetic and explicitly-consented test data only.

Articarry is in a private beta. The text below describes how the product is engineered and how it intends to handle data. Use with real patient audio requires BAA-covered infrastructure and a legal review of this text; both are gates between this beta and any wider use.

What we do today

  • TLS everywhere. Every connection to articarry.com and the audio endpoints is HTTPS; HTTP requests redirect.
  • Audio is opaque-keyed; no PHI in URLs. Recordings are addressed in the database by integer primary key, never by a path that could leak a child's name or any other identifying string. The storage layer hashes the input key before writing the blob, so even a careless caller can't embed a name in the storage path.
  • Audio is owner-gated. A recording's audio is fetched only when an authenticated and authorised clinician explicitly plays it. The audio endpoint is role-gated (clinician only), owner-gated (the clinician must own the recording's enrollment), and sets Cache-Control: no-store so the bytes are never written to a shared or disk cache.
  • Passwords are hashed. Django's default PBKDF2 hasher with the framework's salt pipeline. Plaintext is never persisted.
  • The consent gate is server-enforced. A Recording cannot be created without an active ConsentRecord for the (child, clinician) pair. The client-side check is UX only; the server is the authority.
  • Object-level access control. Every clinician-addressable view resolves the object through a 403-or-404 owner check. A clinician can never reach another clinician's caseload by guessing a URL.
  • An audit log. Every clinician view of a Recording diagnostic, every audio stream, every consent grant, every account deletion, and every nightly retention sweep writes one row to an append-only audit log. A future compliance team can read it.
  • No PHI in logs. Application logs are configured to omit child names + audio references; URLs use integer primary keys throughout; error messages name action types, never content. A test scans the codebase to keep it that way.
  • Audio retention is bounded. The retention sweep removes audio blobs older than 180 days, preserving only the metadata + the scoring response so the dashboard's history stays truthful.
  • Secrets through environment variables. No secret material is checked into source control. The CI pipeline scans the changeset for token shapes on every push.

What we have not finished yet

  • A signed BAA with the hosting provider. The free-tier stack the internal beta runs on does not sign BAAs at this tier; moving to BAA-covered infrastructure is one of the gates between this beta and any real-patient use.
  • A formal SOC 2 attestation. The engineering posture above is in line with the SOC 2 common-criteria controls, but no audit has been performed.
  • Customer-managed encryption keys. At-rest encryption today is the hosting provider's default. A clinic-bring-your-own-KMS path is a post-beta item.
  • An independent penetration test. A scoped pen-test is on the roadmap before any wider release.

Reporting a vulnerability

Security disclosures by email to security@articarry.com. We acknowledge in writing within two business days and credit the reporter on request once a fix has shipped.

Last updated: 2026-05-25.