The Sobriety Resource

Secure Connection

Your Privacy is Our Commitment

Every piece of information you share with The Sobriety Resource is protected by multiple layers of security — from the moment you type it to the day it is retired. Here is exactly what we do and why.

HIPAA CompliantAES-256 EncryptedAudited AccessUS-Based

Our Four Pillars of Security

How we protect your information at every stage

Active

Encrypted Vault

Your most sensitive identifiers are unreadable — even to us.

Sensitive identifiers such as Social Security Numbers are encrypted using AES-256-GCM — the same standard used by the US National Security Agency for classified communications — before they ever reach our database. The encryption key is stored separately from the data. Even a complete copy of our database cannot be used to reconstruct your SSN without the key, which is never shared and rotated annually.

Active

Complete Forensic Audit Trail

Every access to your record is logged — who, when, and from where.

We implement the full audit-control requirement of HIPAA (45 CFR §164.312(b)). Every staff member who opens your record, every document viewed, and every change made is stamped with a timestamp, user identity, and source IP address. These logs are retained for the 6-year minimum required by HIPAA. You may request your access history at any time by contacting our Privacy Officer.

Active

Automatic Metadata Scrubbing

Photos you upload have their GPS coordinates removed before storage.

When you photograph an ID or insurance card with your phone, the image file contains hidden metadata — including the GPS coordinates of where the photo was taken, your device model, and the timestamp. Our system automatically re-processes every uploaded image through a sanitization pipeline that strips all of this metadata before the file is permanently stored. The original is immediately deleted. Only the clean, metadata-free image is retained.

Active

Isolated Access Control

Staff at other facilities cannot see your record — ever.

Your record is scoped exclusively to the facility you enrolled with. Staff members at other organizations using TSR have zero technical ability to view your name, financial information, or clinical history. This isolation is enforced at the database query layer — it is not a configuration setting that can be changed. System administrators who can cross facility boundaries are limited in number and their every access is logged.

Information we protect

  • Social Security Number (encrypted, never displayed in full)
  • Date of birth and personal demographics
  • Home address and contact details
  • Substance use and treatment history
  • Monthly income, expenses, and financial worksheet
  • Uploaded documents (ID, insurance, clinical records)
  • Digital signature and attestation records
  • Narrative essays submitted as part of the application

Technical safeguards in place

  • AES-256-GCM application-layer encryption for PII fields
  • TLS 1.3 transport encryption for all data in transit
  • Role-Based Access Control (RBAC) enforced at the query layer
  • Single-use magic links with 7-day expiry for document requests
  • MIME-type validation via file signature (magic bytes) on upload
  • Automatic EXIF metadata removal from all image uploads
  • Rate limiting on public-facing forms to prevent automated abuse
  • Security headers (CSP, HSTS, X-Frame-Options) on all responses

Hosting

US-Based Infrastructure

All application servers and databases operate exclusively within United States data centers. No client data is transferred internationally.

Compliance

HIPAA Aligned

Operational controls are aligned with 45 CFR Part 164 (Security Rule). Access controls, audit logs, and transmission security are implemented as required.

Retention

6-Year Audit Log Retention

Access logs are retained for a minimum of six years per HIPAA requirements. Client records are retained per program policy and applicable state law.

Disclosure: How your information is used

Information you provide is used solely to evaluate and administer your scholarship application. We do not sell, rent, or share your personal information with third parties for marketing purposes. Limited disclosure may occur as required by law (e.g., court order) or with your written consent (e.g., referral coordination).

Questions about your privacy rights or this policy? Contact our Privacy Officer