Skip to content
Gestallt

Security & Privacy

Gestallt is built with privacy as a core requirement. This page documents our security architecture and what it means for your data.

Security Principles

Team Isolation

Each team’s data is stored separately. Firestore security rules enforce strict boundaries at the database level—there is no code path that allows one team to access another team’s data.

Role-Based Permissions

  • Admins can invite members, remove members, and update settings
  • Members can create, edit, and view entries
  • No one outside the team can see anything

Verified Membership

Invitations are matched to verified email addresses. You can only join a team if you control the email address that was invited. This prevents unauthorized access through invitation links.

No PHI in URLs

Entry IDs in URLs are opaque identifiers. Child names, phrases, and clinical data never appear in browser history, server logs, or shareable links.

HIPAA-Compatible Infrastructure

We describe Gestallt’s security posture as “HIPAA-compatible infrastructure” rather than “HIPAA compliant” or “HIPAA certified.”

What we can say

  • We use Firebase/Google Cloud infrastructure that supports HIPAA compliance
  • Google Cloud can be covered under a Business Associate Agreement (BAA)
  • Our architecture (team isolation, role permissions, verified membership) is designed to support HIPAA requirements
  • Data is encrypted at rest and in transit

What we don’t claim

  • “HIPAA certified” — there is no such certification
  • “Fully HIPAA compliant” — compliance requires organizational policies beyond software
  • Automatic compliance for your organization — you may need additional policies

Why this language matters

HIPAA compliance is a combination of technical controls (which we provide) and organizational policies (which you must implement). We’re honest about what our infrastructure provides vs. what requires your organization’s policy decisions.

Technical Implementation

LayerImplementation
AuthenticationFirebase Authentication (email/password)
AuthorizationCustom JWT claims for team membership and roles
Data storageFirebase Firestore with security rules
Access controlFirestore rules enforce team isolation at query level
Server logicFirebase Cloud Functions (Node.js)
Edge deploymentCloudflare Workers
EncryptionAt rest and in transit (Google Cloud default)

What We Don’t Do

  • Sell your data: Your entries are yours. We don’t sell, share, or analyze them for advertising.
  • Allow cross-team access: There is no admin mode that lets us view your data without your permission.
  • Store unencrypted data: Data is encrypted at rest by Firebase/Google Cloud.
  • Overpromise compliance: We’re honest about infrastructure vs. organizational requirements.

For Healthcare Organizations

If your organization requires a Business Associate Agreement (BAA):

  1. Google Cloud (which hosts Firebase) offers BAAs for covered entities
  2. Our infrastructure is designed to operate within HIPAA requirements
  3. Contact us to discuss your specific compliance needs

We can provide:

  • Technical documentation of our security architecture
  • Information about Firebase/Google Cloud HIPAA capabilities
  • Guidance on organizational policies you may need

Data Retention

  • Active accounts: Data is retained as long as your account is active
  • Deleted entries: Removed from the database immediately
  • Account deletion: All associated data is removed
  • Team deletion: All team entries and membership data is removed

Incident Response

If we discover a security issue:

  1. We investigate and contain the issue immediately
  2. We notify affected users within 72 hours
  3. We provide clear information about what happened and what we’re doing
  4. We document the incident and improve our systems

Questions?

For security-related questions or to discuss compliance requirements, contact us with details about your organization’s needs.