Security architecture.

This page covers the technical safeguards Memrov uses to protect data at rest, in transit, and throughout pipeline execution. Our infrastructure runs entirely on AWS using only HIPAA-eligible services.

Storage

All persistent data lives in Amazon S3 or Amazon DynamoDB. Every S3 bucket is created with BlockPublicAccess.BLOCK_ALL and enforceSSL: true — plain-text HTTP connections are rejected at the bucket policy level, and no bucket is ever publicly accessible. All S3 objects are encrypted with a dedicated customer-managed AWS KMS key. Buckets have a RemovalPolicy.RETAIN configuration, meaning accidental stack deletion cannot destroy your data.

Raw upload objects are subject to a 7-day S3 lifecycle expiration policy. After the processing pipeline completes, the original upload is scheduled for automatic deletion.

Encryption key separation

Memrov uses four separate customer-managed KMS keys, each scoped to a distinct data domain:

• IdentityKey — Cognito user records and authentication data
• ClinicalKey — Personality report results, clinical-adjacent analysis outputs, and the dedicated clinical S3 bucket
• ResearchKey — Opt-in research data, isolated from the consumer product entirely
• OpsKey — Operational logs, access logs, and infrastructure metadata

Encrypting across separate keys means a compromise of one key cannot expose data encrypted under another. This is distinct from the default AWS-managed key model, where all data in an account shares a single key.

Database

Amazon DynamoDB is used for all structured application data. Every table is encrypted with a customer-managed KMS key (not the AWS-managed default). Point-in-time recovery (PITR) is enabled on every table, providing a continuous backup window that allows restoration to any second within the last 35 days.

Authentication

User authentication is handled by Amazon Cognito with email verification required on sign-up. Internal AWS services communicate through scoped IAM roles — there are no shared application-level passwords between services. Access to the app requires a valid Cognito session token.

Processing pipeline

The report generation pipeline is orchestrated with AWS Step Functions. Each execution is isolated; failures in one step do not affect other users' pipelines. AI inference runs through AWS Bedrock, which does not retain user data between invocations. Async messaging between pipeline stages uses Amazon SQS and Amazon SNS, both encrypted with KMS.

Content delivery

The application is served through Amazon CloudFront with TLS enforced on all edge connections. CloudFront acts as the single public ingress point — S3 buckets and backend services are not directly reachable from the internet.

Monitoring and audit

AWS CloudWatch collects logs and metrics from every service in the stack. S3 server access logs are retained for 90 days. Budget alerts are configured to detect unusual spend spikes, which can be an early indicator of unauthorized usage. AI generation traces are captured through Langfuse for quality and compliance review.

Product data boundaries

Memrov is organized around one shared foundation: the finalized personality report. The personality test creates it. Memrov AI can use it only after the report exists and the user has engaged with the product. Future products — including Memrov Match — are designed to require an explicit opt-in before accessing any profile-based data. Research participation is a completely separate consent lane and never touches the consumer product data path.

HIPAA-eligible infrastructure

Every AWS service Memrov uses — S3, DynamoDB, Lambda, Cognito, CloudFront, Bedrock, Step Functions, SQS, SNS, and CloudWatch — appears on AWS's HIPAA-eligible services list. We are pursuing a formal Business Associate Agreement (BAA) with AWS and a third-party HIPAA attestation. Our architecture is designed to satisfy HIPAA technical safeguard requirements today.