We're using free cloud resources which also host our internal collaboration infra, its definitely underpowered.
> considering this is hospital data
To be clear, our first target audience is research data collection, which is consented, so that's not immediately an issue, however we don't store Personally Identifying Data (PID) in the current design, instead hashing all ID data. Our institution and local laws are very happy with that. We aim for compliance with other statutes going forward.
We are a research-funded group in Canada, so GDPR and HIPPA compliance was not something we initially considered. Going forward, this is something that we will be prioritizing, since we are looking at potentially offering this as a cloud service (separate from our research team).
Have you done an Independent security review of these features? What's your CRS score? Do you have CVE fix SLA in place? All these features are good if this was. 2000 website but a single vulnerability in any one of the vendors of your tech stack will compromise your users
Server side encryption is handled using the Go standard library. A more detailed breakdown of the process can be found in the Help Center. TLDR: It's reputable, and best practices are followed through cryptographically secure generation, random IV, high entropy keys, memory hard hashing, etc.
Paste end to end encryption uses the native window crypto subtle API, widely used and reputable.
Coming from cyber security one thing I have learnt is no matter how many layers of security you add nothing is fool proof, I would strongly recommend doing an Independent review getting if not an international certification like ISO or GDPR then something domestic, I like what Mozilla does https://www.mozilla.org/en-US/security/advisories/, this really will enforce trust in your users as today it's really hard to trust websites
Eveytime I hear about this Company or its leaders it gives me very bad vibes, they are nothing but a company of despos who make a living selling people's privacy
