Protecting the people
who trust our platform
Last Updated: April 2026
The Peer Network is built on the belief that people seeking peer support deserve a platform that handles their data with the same care as the clinicians and peers who serve them. Security and privacy are not afterthoughts, they are foundational to everything we build.
Compliance
The Peer Network is a HIPAA-covered entity and is actively pursuing SOC 2 Type II certification. All services that process or store protected health information (PHI) are hosted on AWS HIPAA-eligible services under AWS’s Business Associate Agreement. Compliance evidence is continuously collected via Vanta.
Our Security Principles
Our security posture is grounded in the following principles that guide every engineering and infrastructure decision we make:
01
Access to protected health information (PHI) and sensitive data is granted only to those with a legitimate business need, governed by the principle of least privilege.
02
Security controls are layered in depth, no single control is a single point of failure.
03
Controls are applied consistently across all environments: development, staging, and production.
04
Our security program matures continuously, improving effectiveness, auditability, and reducing operational friction over time.
Data Protection
Data at Rest
All databases, object storage (S3), and backups are encrypted at rest using AES-256 via AWS-managed keys. Database instances run in Multi-AZ configurations for both durability and high availability.
Data in Transit
All data transmitted between clients and our servers uses TLS 1.2 or higher. CloudFront enforces HTTPS for all traffic, and HTTP Strict Transport Security (HSTS) is enabled across all endpoints.
Secret Management
Application secrets are stored in AWS Secrets Manager and Parameter Store. Encryption keys are managed via AWS KMS with strict IAM policies limiting access to authorized services only.
Backup and Recovery
Automated database snapshots and point-in-time recovery are enabled. Multi-AZ failover ensures continuity in the event of an availability zone disruption.
Infrastructure Security
Network Isolation
All application workloads run in private subnets within a dedicated VPC. Public access is mediated exclusively through AWS WAF and CloudFront, with no direct exposure of application or database tiers.
Web Application Firewall
AWS WAF is deployed in front of all public-facing endpoints to detect and block common web exploits, including OWASP Top 10 threats, at the edge.
Monitoring and Alerting
CloudWatch alarms monitor infrastructure health metrics across all services. Security-relevant events trigger notifications to the engineering team for prompt review and response.
Infrastructure as Code
All infrastructure is defined in AWS CDK (TypeScript), ensuring configuration is version-controlled, peer-reviewed, and consistently applied across all environments.
Identity and Access Management
Role-Based Access
The Peer Network enforces distinct roles — Admin, Peer Specialist, Organization User, and Client — each with scoped permissions appropriate to their function. No role has access beyond what its duties require.
Authentication and MFA
Multi-factor authentication is required for all staff accessing internal systems and AWS infrastructure. IAM roles follow least-privilege policies defined and deployed via CDK.
Data in API Responses
PHI and PII are excluded from API responses that don’t require them. Each role receives only the data necessary for its function, following strict data minimization principles.
Data Privacy
HIPAA Compliance
The Peer Network is a HIPAA-covered entity. We maintain Business Associate Agreements with all vendors that handle PHI on our behalf. All PHI is stored and processed exclusively on AWS HIPAA-eligible services.
Data Minimization
We collect only the data necessary to deliver peer support services. Data shared between platform roles is scoped to what each role legitimately needs — PII is excluded from contexts where it isn’t required.
Business Associate Agreements
Organizations using The Peer Network’s platform may request a Business Associate Agreement. Please contact us at privacy@thepeernetwork.com to initiate the process.
Contact
If you have questions about our security posture, would like to request documentation for a vendor security review, or need to report a potential security issue, please contact us at security@thepeernetwork.com.
This policy is subject to change as necessary to comply with changing laws and regulations.