Data at rest
AES-256-GCM
Every user gets their own 256-bit Data Encryption Key. PHI is encrypted with that key before it leaves the device. The admin console only sees ciphertext.
src:PHIEncryptionService.swift:200
Leo / Security
Encryption you can name.
Per-user AES-256-GCM at rest. P-256 ECDH + HKDF-SHA-256 for sharing. Certificate pinning on every connection. Every algorithm cited, every claim verifiable in the source. HIPAA-ready; BAA with Google Cloud in progress.
Verified against the iOS source · 2026
Cert pinningAES-256-GCMP-256 ECDHCloud KMS HSMHIPAA · coming soon
01 · The stack
Four algorithms, named.
We don't use the words “military-grade” or “bank-level” on this page. Every layer of Leo's cryptography has a specific algorithm name and a specific source file. Here are the four that matter.
Sharing
P-256 ECDH + HKDF-SHA-256
When you share data with a parent, caregiver, partner, provider, or nurse, your DEK is delivered to their device encrypted with their public key. The server never sees the unwrapped key.
src:PHIEncryptionService.swift:585
Key wrapping
Google Cloud KMS · HSM-backed
Every DEK is itself wrapped by Google Cloud KMS hardware security modules. The wrapped key is what we store; the unwrapped key only ever exists in your device's secure enclave.
src:functions/src/security/userKeyService.js:158
Transport
Certificate pinning · TLS 1.2+
Every connection to Firebase, Google APIs, and Stripe is verified against a SHA-256 hash of the expected public key. Non-pinned domains are rejected at the URLSession layer.
src:CertificatePinningService.swift:67
02 · What's encrypted
Twenty-three+ collections. Field by field.
Field-level encryption — not just “at-rest by the cloud provider”. The PHI fields below are encrypted on your device with your DEK before they ever touch Firestore. Queryable metadata (dates, IDs, types) stays plaintext so the app can still work, but the body of every entry is ciphertext on the wire.
Medications & Doses
medicationsdoseLogsprnMedicationsprnDoseLogs
Medication names, dosage notes, prescriber notes, scheduling context, free-text on the log itself.
Vitals & Body Signals
vitalSignshealthEvents
Any contextual notes attached to readings; classification strings on flagged events.
Journal & Mental Health
journalEntriessleepJournalemotionLogsmentalHealthSymptomsleoConversations
Title, content, mood, tags, prompts, free-text journal body. Saved Leo conversations on both sides.
Clinical Records
clinicalNotestreatmentPlansassessmentResponseslabReportslabValues
Note content, assessment text, plan text, lab values and contextual annotations, free-text answers.
Symptoms & Flares
symptomLogsflareUpshealthLogs
Symptom descriptions, free-text observations, flare narrative, severity notes.
Sleep
sleepDatasleepRecords
Sleep notes, contextual annotations, dream/journal entries when attached.
The shape of it
Twenty-three-plus collection types with per-field encryption mapping. Encrypted-on-write, decrypted-on-read transparently — your view models never see plaintext on the wire, and the admin console never sees plaintext at all. src:EncryptedFieldHelper.swift:18-85
03 · Access control
Who unlocks what, and when.
Biometric or PIN at app open
Face ID, Touch ID, or a secure PIN — whichever you set. Failed-attempt lockout triggers after 5 tries with a 5-minute cooldown. (One factor with two methods — we don't call this MFA.)
src:LeoSecurityService.swift:399
Five-minute session timeout
The UI locks itself after 5 minutes of inactivity. Tighter than typical HIPAA Security Rule guidance, and tuned for a phone you actually leave on the counter.
src:LeoSecurityService.swift:43
Per-link permissions
Every shared link — parent, caregiver, partner, healthcare provider, school nurse — gets its own per-role permission set, granted by the patient. Toggle anything on or off at any time.
src:FamilyRelationships.swift:93
Revocation cuts off decryption
The moment a link is revoked, the cached DEK on the other party's device is cleared and Firestore rules block the grant. They keep whatever they already saw, but the stream stops.
src:PHIEncryptionService.swift:397
Append-only audit log
Every access to PHI is written to an audit log. Firestore rules block updates and deletes — once a record exists, it can't be modified or quietly removed. (See §05 for the honest caveat about cryptographic chaining.)
src:HIPAAAuditService.swift
04 · Where we are on compliance
Three honest standings.
Compliance is a legal status, not an architectural one. Leo is not HIPAA-compliant today — we are HIPAA-ready, with the BAA still pending. Below are the only three compliance claims you'll find on this site, each phrased honestly.
Coming soon
HIPAA
Built to HIPAA Security Rule technical safeguards (§164.312). BAA with Google Cloud in progress. We don't claim HIPAA compliance until that BAA is executed and we've completed a third-party assessment.
Posture statement
GDPR-ready architecture
Per-user encryption, transparent data export, deletion-on-request, EU data-residency-aware infrastructure. Not a formal certification — a stated posture about how the system is designed.
Roadmap
SOC 2 Type I
On the near-term roadmap. We're building the documentation, controls, and audit trail a Type I audit requires before engaging a CPA firm.
WHAT YOU WON'T FIND HEREClaims of HITRUST CSF, ISO 27001, FedRAMP, NIST 800-53, or 21 CFR Part 11 compliance. None of those are realistic for a private-beta health app today, and overclaiming by ambition is still overclaiming. If the day comes when one of them is real, it'll show up here with a date and an auditor's name attached.
05 · Our principles
Three sentences, taped to the wall.
01 / Principle
The patient owns the keys.
Your DEK lives in your Keychain. Nothing leaves your device without being encrypted with a key only you — or someone you share with — can open. We can't read your data even if we wanted to. Neither can a leaked database.
02 / Principle
On-device math.
The ten engines documented at /engines run on your phone. No PHI ever leaves your device for analysis. Cloud Firestore stores ciphertext only; Cloud Functions touch ciphertext too, except for the wrapped-key flow.
03 / Principle
What's not built yet is named here, not hidden.
Today the audit log is append-only, made immutable by Firestore rules. A real SHA-256 cryptographic hash-chain on every audit entry is on the near-term roadmap; when it ships we'll cite the code. Until then, “append-only, immutable by rules” is what's true.
Security questions
We'd rather answer questions than ship slogans.