Sens8Focus

Sign in
Terms of ServicePrivacy PolicyHIPAA NoticeSecurity Overview

Security Overview

Last updated: March 28, 2026

Security is not a feature we added to Sens8Focus — it is the foundation we built everything on. Every piece of your data is protected by multiple layers of defense.

1. Our Approach to Security

Sens8Focus employs a defense-in-depth strategy, applying multiple overlapping security controls at every layer of our infrastructure. We follow the principle of least privilege, ensuring that access to systems and data is limited to only what is necessary.

Our security practices are informed by HIPAA requirements, industry best practices, and the OWASP Top 10. We conduct regular security assessments and continuously monitor our systems for vulnerabilities and threats.

We recognize that the data you share with Sens8Focus is deeply personal. That responsibility drives every decision we make about our security architecture.

2. Encryption

We use industry-leading encryption to protect your data at every stage:

AES-256 Encryption at Rest

All data stored in our databases and file systems is encrypted using AES-256, the same standard used by governments and financial institutions worldwide. Encryption keys are managed through a dedicated key management service with automatic rotation.

TLS 1.3 Encryption in Transit

Every connection between your device and Sens8Focus is encrypted with TLS 1.3, the latest and most secure transport layer protocol. We enforce HSTS (HTTP Strict Transport Security) to prevent downgrade attacks, and we do not support older, less secure protocols.

Field-Level Encryption

Beyond full-database encryption, we apply field-level encryption to your most sensitive data — journal entries, session notes, and personal reflections are individually encrypted before being stored. This means that even if someone gained access to our database, these fields would remain unreadable without the corresponding decryption keys.

3. Access Controls

We enforce strict access controls to ensure that only authorized individuals can access systems and data:

  • Role-based access control (RBAC): Team members are granted access based on their role, following the principle of least privilege. Access is reviewed and re-certified quarterly.
  • Multi-factor authentication (MFA): All team members with access to production systems are required to use multi-factor authentication.
  • SSO and identity management: We use enterprise-grade identity providers to manage team access with centralized authentication and authorization.
  • Network segmentation: Our infrastructure is segmented to isolate sensitive systems and limit the blast radius of any potential breach.
  • No standing access to PHI: Sens8Focus engineers do not have standing access to user health data. Access to PHI requires a documented justification, approval, and is time-limited and audited.

4. Audit Logging

Comprehensive audit logging is critical to both security and HIPAA compliance. We maintain detailed logs of:

  • All access to Protected Health Information, including who accessed it, when, and why.
  • Authentication events, including successful and failed login attempts.
  • Administrative actions, such as changes to access controls or system configurations.
  • Data modifications, including creates, updates, and deletes of health-related records.
  • System events, including errors, warnings, and security-relevant incidents.

Audit logs are stored in a tamper-evident, append-only log store. They are retained for up to 7 years in accordance with HIPAA requirements and are regularly reviewed by our security team.

5. Business Associate Agreements (BAAs)

HIPAA requires that we enter into Business Associate Agreements with any third party that may create, receive, maintain, or transmit PHI on our behalf. We take this obligation seriously:

  • All cloud infrastructure providers, hosting services, and data processors have signed BAAs with Sens8Focus.
  • We vet third-party vendors for their security practices and HIPAA compliance before engaging them.
  • We conduct periodic reviews of our business associates to ensure ongoing compliance.
  • We minimize the number of third parties who have access to PHI, limiting it to only those essential to operating the Service.

6. Incident Response

Despite our best efforts, no system is immune to security incidents. We maintain a comprehensive incident response plan to ensure we can respond quickly and effectively:

  • Detection: Automated monitoring and alerting systems detect potential security incidents in real time.
  • Containment: Our response team acts immediately to contain any breach and prevent further unauthorized access.
  • Investigation: We conduct a thorough investigation to determine the scope, impact, and root cause of every incident.
  • Notification: In the event of a breach involving PHI, we will notify affected individuals within 60 days as required by HIPAA. For breaches affecting more than 500 individuals, we will also notify the U.S. Department of Health and Human Services and prominent media outlets as required.
  • Remediation: We implement corrective actions to prevent recurrence and update our security controls as needed.

Our incident response plan is tested and updated at least annually through tabletop exercises and simulated breach scenarios.

7. Responsible Disclosure

We value the work of security researchers and the broader security community. If you discover a security vulnerability in Sens8Focus, we encourage you to report it to us responsibly.

Report a vulnerability

security@sens8focus.com

When reporting a vulnerability, please:

  • Provide a detailed description of the vulnerability, including steps to reproduce it.
  • Allow us reasonable time to investigate and address the issue before disclosing it publicly.
  • Avoid accessing, modifying, or deleting other users' data during your research.
  • Act in good faith and do not exploit the vulnerability beyond what is necessary to demonstrate the issue.

We commit to acknowledging your report within 48 hours, providing regular updates on our progress, and crediting you (if desired) when the vulnerability is resolved. We will not take legal action against researchers who follow these guidelines.