> All your data is encrypted with 256-bit encryption at rest and the data exchanged with our servers are encrypted with 256-bit SSL.
Stuff like this makes me cringe. If this is the only thing you can talk about for security then you're announcing to the world you have nothing - no security program, no bug bounty, no appsec team, no best practices, no anything. There's not a single mention of HIPAA anywhere on the website even?
Anyone who uses this service is asking to leak their healthcare data.
Is it? Isn't "not losing people's personal health data to a breach" more important than shipping?
Answering hard questions like that is the difference between a product that is ready for the marketplace, and a hobby toy.
It's pretty simple and "set and forget", hopefully it's useful for others.
I go into very high level details on what's happening behind the scenes in this blog post: