HomeSecurity

Security & privacy engineering

How we protect your lab report.

An accessible summary of our security posture — encryption, retention, access control, audit trails, and how to report a vulnerability.

Data flow

When you upload a lab report:

  1. The file is transmitted over TLS 1.3 to our US infrastructure.
  2. It is processed in encrypted memory — never written to a disk in plaintext.
  3. Once the analysis is delivered, the original file is deleted from memory within minutes.
  4. If you have opted in to trend tracking, the parsed numeric values are retained — never the original file — encrypted at rest with per-account keys.
  5. You can delete all stored data at any time from your account settings, or by emailing [email protected].

Encryption

  • In transit: TLS 1.3 with strong ciphers only. HSTS preloaded.
  • At rest: AES-256-GCM with per-account key derivation. Master keys held in a hardware security module.
  • In memory: Encrypted memory regions during processing; secure delete after delivery.

Access control

  • Least-privilege access for every employee. Background checks for any role with production data access.
  • SSO with MFA enforced for all internal systems.
  • Production access is logged, reviewed quarterly, and revoked automatically on role change.
  • Customer health data is never accessed by employees unless the customer explicitly requests support and consents to access.

Retention

  • Original lab report file: deleted within minutes of report delivery (unless trend tracking opt-in).
  • Parsed numeric values (trend tracking opt-in): retained until you delete them.
  • Account-level metadata: retained while account is active; deleted within 30 days of account closure.
  • Server logs: 90 days, no PHI included.

HIPAA alignment

blood-test.life is primarily a direct-to-consumer product, but we operate to HIPAA-aligned privacy and security standards. We sign Business Associate Agreements (BAAs) on request with covered entities. See the full HIPAA Notice of Privacy Practices.

Subprocessors

We use a minimal set of vetted subprocessors for cloud hosting, payment processing, and email delivery. None of our subprocessors process customer health data outside of our encrypted processing pipeline. Current subprocessor list is available on request.

Audits

We are pursuing SOC 2 Type II certification (expected H2 2026). Penetration testing is conducted twice yearly by an independent firm. Findings are remediated within agreed timelines and re-tested.

AI training and data use

We do not train AI models on user-uploaded data — ever. The narrative model is trained on curated, de-identified medical writing reviewed by our medical board. User reports never enter the training pipeline.

Reporting a vulnerability

If you believe you have found a security vulnerability in blood-test.life:

  • Email [email protected] with as much detail as possible.
  • Do not publicly disclose until we have had a reasonable time to respond and remediate (we aim for 90 days).
  • We will acknowledge receipt within 2 business days.
  • We do not currently run a paid bug-bounty program, but we credit valid researchers publicly and provide a security swag pack.

Our security.txt is published at /.well-known/security.txt.