Back to Docs/Compliance and Security

Compliance and Security

Data Encryption

Vilulia protects case data through multiple layers of encryption: PHI fields in the database are encrypted at the field level using AES-256-GCM with AWS Key Management Service (KMS), case documents are stored in Amazon S3 with server-side KMS encryption, and all API traffic is protected by TLS. For organizations on the HIPAA Basic or HIPAA Enhanced add-on, PHI field encryption is active automatically. Document encryption applies to all organizations regardless of plan.

What you'll learn

  • How PHI field encryption works with AWS KMS and AES-256-GCM
  • How document encryption works in S3
  • Which plans include PHI encryption
  • How encryption keys are managed and rotated

PHI field encryption

Protected health information stored in Vilulia database records is encrypted at the field level using AES-256-GCM. Each field is encrypted with a per-tenant key context managed by AWS KMS (key alias vilulia-phi-key). AES-256-GCM is the algorithm used for all new writes. Existing data encrypted under the legacy Fernet scheme (AES-128-CBC) is decrypted transparently and re-encrypted with AES-256-GCM on the next write. PHI field encryption is enabled automatically when the HIPAA Basic or HIPAA Enhanced add-on is active on your organization.

Key rotation

Field encryption keys are rotated by deploying a new primary key and retaining the previous key as a fallback. The platform decrypts data with either key and re-encrypts with the new key on write, enabling zero-downtime rotation without a bulk re-encryption job. KMS key usage is logged by AWS CloudTrail, providing an independent audit trail of all encryption and decryption operations.

Document encryption

Case documents are stored in Amazon S3 with server-side KMS encryption (SSE-KMS) enabled. This applies to all organizations on all plan tiers — document encryption does not require a HIPAA add-on. Supported file types include PDF, DOCX, and common image formats. Encryption is managed by AWS and is transparent to the end user.

Email account tokens

OAuth access tokens for connected email accounts (Gmail and Outlook) are encrypted at rest using AES-256-GCM before being stored. This is separate from the PHI encryption system and applies regardless of HIPAA add-on status.

Secure messaging encryption

Messages sent through the HIPAA Enhanced secure messaging feature are encrypted server-side using Fernet (AES-128-CBC with HMAC-SHA256) before storage. Plaintext is never persisted — the message body is encrypted immediately on receipt. Decryption occurs server-side at read time for authorized recipients. This feature requires an active BAA.

Related articles

Can't find what you're looking for? Contact Support

Having trouble with this feature?

Visit the Support Center for troubleshooting guides and how-to articles.

Go to Support Center →