Security

How Rōvn protects nurse and hospital data

Rōvn is verified direct healthcare hiring infrastructure. We treat nurse credential data, packet contents, and hospital workflow data as sensitive by default. This page describes the controls in place today and the controls we are formalizing as we expand into production PHI workloads.

Cloud foundation

AWS BAA accepted

Rōvn operates on a HIPAA-eligible AWS account in us-east-2. AWS has accepted Rōvn's Business Associate Addendum. Workloads are deployed inside a private VPC with private subnets, controlled security groups, and no direct public exposure of data plane resources.

Encryption at rest

RDS PostgreSQL (rovn-prod-phi-postgres) is encrypted with a customer-managed KMS key under alias alias/rovn-phi. Evidence vault S3 bucket is encrypted and blocks public access. EBS encryption-by-default is enabled at the account level.

Encryption in transit

All public surfaces use TLS. Internal service-to-service traffic stays inside the VPC and is restricted by security group.

Audit logging

CloudTrail is enabled account-wide with a hardened trail bucket. Application packet-release events are written as signed audit records (Ed25519). Hash-chained evidence events are retained in the evidence vault.

Threat detection

GuardDuty and AWS Security Hub are enabled. KMS key rotation is enabled. Account budget alerts are configured.

Backups and recovery

AWS Backup vault retains automated backups of the PHI database. A point-in-time restore drill has been performed; evidence is stored in s3://rovn-phi-evidence-vault-559849758760-us-east-2/restore-drill/evidence/.

Access control

AWS Identity Center is the entry point for human access. Founders have admin group access. Production workload secrets migrate to AWS Secrets Manager / SSM Parameter Store as they move from build to live.

Application controls

Nurse-owned consent. A credential packet is not released to a hospital without an explicit consent event from the nurse.
Minimum-necessary. Hospitals see only the role-relevant fields they need to make a hiring decision.
Signed events. Packet creation, consent grant, packet release, and revocation are written as signed audit records.
Primary-source verification. Credentialing data is reconciled against primary sources where available (NPDB, Nursys e-Notify, OIG, SAM).
NPDB registration. Rōvn is a registered NPDB entity, DBID 399700000147857.

What we are formalizing

Rōvn has a HIPAA-eligible AWS foundation. Rōvn is not yet a fully attested HIPAA-compliant operating company. We are actively executing the formal program below before connecting any production traffic to PHI:

Formal HIPAA Security Risk Assessment.
Vendor BAA / DPA inventory and signed agreements with all sub-processors.
Formal policy adoption and workforce acknowledgements.
Documented access reviews and incident response tabletop.
Production application image review prior to enabling the ECS service.
Runtime secrets fully migrated into Secrets Manager / SSM.

Reporting a security issue

Send a description and reproduction steps to security@rovn.to. Please do not include real PHI in the report.

Last updated 2026-04-25.