How We Protect Your Data

Effective Date: 1/27/2026
Last Updated: 1/31/2026

Rescue Ally handles sensitive medical information, and we take that responsibility seriously. This page explains the security measures we use to protect your data at every step.

Every Request Is Challenged

Before any data is read or written, every request to Rescue Ally must pass through multiple independent layers of security:

  • Is it from a suspicious source? Our cloud firewall blocks known attack patterns and rate-limits aggressive behavior before requests reach our application.
  • Is the sender who they claim to be? Every request must include proof of identity via passwordless authentication.
  • Are they allowed to access this data? Fine-grained authorization policies verify permission for the specific resource requested.
  • Could someone be eavesdropping? All communication is encrypted in transit, so intercepted messages can't be read.
  • Is the stored data safe? All data is encrypted at rest — on your device and in the cloud.

If any check fails, the request is denied. The sections below explain each layer in detail.

What if... someone attacks our server with bad requests?

Before a request reaches our application, it passes through a (firewall) that screens for known attack patterns and rate-limits suspicious behavior. Addresses that send too many requests in a short window are automatically blocked. Unusual and unrecognized requests are completely ignored.

What if... someone pretends to be me?

Rescue Ally uses passwordless authentication to protect your account. Instead of a password, you prove your identity by demonstrating access to your verified phone number or email address.

How Login Works

When you sign in, we send a one-time magic link to your phone number or email address. We use your contact information exclusively for these authentication links — never for marketing, notifications, or any other purpose.

  1. You enter your phone number or email
  2. We send a secure, time-limited magic link
  3. You tap the link to verify your identity
  4. Your device unlocks your encrypted data using biometrics

The magic link expires after 24 hours and can only be used once. When you tap the link, we verify it hasn't expired or been used before, then issue secure tokens for your device to communicate with our servers.

For details on SMS messaging, see our SMS Terms.

Why passwordless?

  • No password to steal: There is no password database to breach, and no password for an attacker to guess or phish
  • No password reuse: Compromised credentials from other services can't be used against Rescue Ally
  • One-time use: Each magic link works exactly once, so intercepted links can't be replayed

On-device protection

Even after authenticating, patient data stored on your device is protected by a separate layer: biometric encryption. Your device's encryption key is stored in secure hardware (Secure Enclave on iPhone, Keystore on Android) and can only be unlocked with your face, fingerprint, or device passcode. This means that access to your account alone is not enough to read data stored on your phone — an attacker would also need physical access to your device and the ability to pass biometric verification.

What if... a user tries to read someone else's data?

Even a legitimately authenticated user can only access their own data. Before fulfilling any request, we verify that the specific user has permission to access the specific resource they're requesting.

  • Authentication required: Every request must include a valid security token
  • Authorization checks: Before accessing any data, we verify the user has permission
  • User isolation: Each user can only access their own patient records and account information
  • Fine-grained policies: We use Amazon Verified Permissions to enforce access rules

What if... someone is listening to our conversation?

Some attackers deploy devices that allow them to intercept messages sent over a computer network. Even if they succeed at that, they won't be able to read them.

All communication between the Rescue Ally app and our servers is protected by HTTPS/TLS encryption:

  • Your data is encrypted before it leaves your device
  • It travels through the internet in a form that only our servers can decrypt
  • We use TLS 1.2+, the current industry standard
  • This is the same technology that protects online banking

Learn more: How HTTPS Works (external link)

What if... someone breaks into the datacenter?

Rescue Ally runs on Amazon Web Services (AWS), one of the world's most trusted cloud platforms. AWS provides:

  • Physical security: 24/7 security personnel, biometric access controls, video surveillance
  • Network security: Firewalls, intrusion detection, DDoS protection
  • Compliance: AWS services are HIPAA-eligible with Business Associate Agreements
  • Redundancy: Data replicated across multiple availability zones

We maintain a HIPAA Business Associate Agreement (BAA) with AWS to ensure proper handling of protected health information.

What if... someone steals the database?

It's theoretically possible that an attacker could, after breaching every other defense, get their hands on a copy of the database. Even if they did, they wouldn't be able to read it.

In the Cloud

All data stored in our databases is encrypted using AES-256, the same standard used by banks and governments. Additional protections include:

  • Point-in-time recovery: We can restore your data to any point in time if anything goes wrong
  • Automatic deletion: Expired authentication tokens are automatically removed
  • Access logging: We maintain audit logs of all data access

On Your Device

Patient information on your phone is protected by hardware-level encryption:

  • Your data is encrypted using AES-256
  • The encryption key is generated on your device and stored in secure hardware (Secure Enclave on iPhone, Keystore on Android)
  • The key never leaves the secure hardware and cannot be extracted
  • Accessing your data requires biometric authentication (Face ID, Touch ID, or fingerprint) or your device passcode

Even if someone physically stole your phone, they couldn't read your patient data without your face, fingerprint, or passcode.

What We Don't Do

To protect your security, we intentionally don't:

  • Store passwords (we use passwordless authentication)
  • Allow cloud backup of the app database (encryption keys stay on device)
  • Log sensitive data like patient information
  • Share your data with third parties (except when you explicitly transfer it)
  • Send promotional messages to your phone or email

Security Best Practices for Users

You can help keep your data secure:

  1. Keep your device updated - Install OS updates promptly for security patches
  2. Use a strong device passcode - This is your backup if biometrics fail
  3. Enable biometric authentication - Face ID, Touch ID, or fingerprint
  4. Don't share login links - Magic links are for your use only
  5. Log out of shared devices - If you ever use a shared phone

Questions or Concerns?

If you have questions about our security practices or want to report a security concern:

Rescue Ally Security Team
Email: security@rescueally.org
Phone: +1 (303)-578-8161

For general privacy questions, see our Privacy Policy.

We continuously review and improve our security measures. This page will be updated when we make significant changes.

Rescue Ally Security