Security

Specifically how we keep your data safe.

Encryption, access control, infrastructure, incident response — the actual specifics, not just the word “encryption.”

Last updated · May 20, 2026

Heel stores sensitive financial and medical information about your pet. We take that responsibility seriously and want to be specific about how — not just hand-wave with the word “encryption.”

1. Encryption

All data at rest is encrypted using AES-256. Data in transit between your device and our servers is encrypted using TLS 1.2 or higher; modern browsers and the Heel mobile clients negotiate TLS 1.3 where available.

Database-level encryption keys are managed by AWS Key Management Service with rotation every 90 days. Document storage uses per-object envelope encryption.

2. Access control

Heel operational staff don't have casual access to your data. To view a specific account's contents for support purposes:

  • You must explicitly grant access from your settings, or actively be in a support thread with us.
  • Access is time-bounded (defaults to one hour, never more than 24).
  • Every access event is logged immutably and reviewable by you in Settings → Security → Access log.

Background jobs that operate on your data (auto-reading, EOB matching, indexing) run on hardened servers with no human shell access in production.

3. Authentication

Account login is protected by:

  • Strong password requirements — minimum 8 characters, with breached-password screening against the Have I Been Pwned database.
  • Optional two-factor authentication via TOTP (Google Authenticator, 1Password, Authy, etc.). Strongly recommended; required for any account holding more than $5,000/year of reimbursement activity.
  • OAuth sign-in via Google or Apple, if you prefer not to manage a password at all.
  • Session security — sessions expire after 30 days of inactivity. You can sign out of all devices remotely from settings.

4. Infrastructure

Heel runs on AWS, primarily in the us-east-1 region. We use:

  • Private VPC networking; no database is exposed to the public internet.
  • Web Application Firewall on all public endpoints.
  • Automated dependency vulnerability scanning, with high-severity patches deployed within 72 hours.
  • Off-site, encrypted backups taken every 6 hours, retained for 30 days.

5. Payments

All payment processing is handled by Stripe. We never see, store, or have access to your full card number. Stripe is PCI-DSS Level 1 certified.

6. Incident response

If we ever discover a security incident affecting your data, we will:

  1. Notify affected users within 72 hours of confirming the incident.
  2. Provide a detailed post-mortem within 14 days, including what happened, what was accessed, what we've done about it, and what we're changing.
  3. Offer concrete remediation steps (password reset, session invalidation, credit monitoring where appropriate).

We have not had a security incident to date.

7. Responsible disclosure

If you've found a security vulnerability in Heel, please report it through the support contact form with subject “Security report.” We acknowledge reports within 24 hours and work with researchers to coordinate disclosure.

We do not currently run a paid bug bounty, but we publicly credit researchers (with permission) and send a token of appreciation for valid reports.

8. Compliance posture

Heel is a small team and is honest about its compliance state. As of the date above:

  • GDPR / CCPA — we comply with the substantive requirements (data export, deletion, access). Formal documentation is available on request.
  • SOC 2— Type I audit planned for our first post-beta year. Until then, we'll share specific control evidence with prospective business users on request.
  • HIPAA— pet medical data is not covered by HIPAA in the US. We apply HIPAA-style controls voluntarily because it's the right shape of carefulness.

9. Contact

For security questions or to report a vulnerability, use the support contact form and pick “Privacy or security” as the topic.