Security & Compliance

Lightning Step is hosted with Amazon Web Servers (AWS).

There are two parts of the data associated with each EMR site:

1. the database that contains all of the information for the site, and

2. the uploaded files, such as scanned insurance cards, lab results, and files associated with the claims process.


The database resides on a database cluster that is available in multiple zones simultaneously, eliminating a single point of failure. It is continuously backed up, and provides point in time restore points at 5 minute intervals for up to 34 days. Lightning Step tests the backup and restore functionality monthly.

Uploaded Files & Backups

Uploaded files are stored on a clustered file system that is also available in multiple availability zones (AZ) simultaneously, so there is no single point of failure. These files are backed up once per hour, and these backups are also tested monthly by restoring files and comparing them to the previous versions to ensure integrity.

From a disaster recovery perspective, all AWS locations use multiple Availability Zones, and all Lightning Step EMR data is hosted in multiple zones, so the failure of a single zone will not cause an outage. In the event of a larger disaster, the data could be recovered in a different AWS location if necessary.


From an administration perspective, we use AWS Control Tower, which provides strict governance over who has access to what. The site architecture adheres to AWS best practices to prevent unauthorized access. We have a strict internal hierarchy utilizing a least privilege model, to ensure that administrators have the minimal access necessary to do their work.

There is a multi-AZ load balancer that sends traffic to multiple application servers. The application servers work against multiple database clusters. Each client has their own database that is separate from all other customer databases. Traffic is encrypted from the browser, the traffic between the various tiers of the system are encrypted, and data is also encrypted at rest.

The advantages of this architecture are to provide the best client experience, with 24/7 availability, with no down time required for routine maintenance procedures.

In addition to the hosting infrastructure, there are many security features implemented at the application level. Each site is only available through SSL browser access, and users must log in in order to have any access to the site. We support SSO through Google, Microsoft, Okta, and other OAUTH providers. Failed logins are rate-limited, with multiple failures leading to a lock-out period for each account. Additionally, we support Re-Captcha as part of the login process, which provides an additional level of security.

Lightning Step supports SMS messaging for meeting reminders, and supports Multifactor Authentication through SMS text or email.