Rōvn · Investor Room
AI agent: checking…
All sections
Compliance & Security

Threat Model (STRIDE)

Diligence noticeWorking state of Rōvn as of 2026-06-24 · Pre-launch by designSee 09 for receipts →
AI Diligence Console

Threat Model: STRIDE on the Credentialing Flow

Date: 2026-05-14 Method: STRIDEThreat model framework06.9 Threat Model (STRIDE) · spoofing / tampering / repudiation / info-disclosure / DoS / elevation (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) applied to the core credentialing flow.

1. Trust boundaries

                ┌──────────────────────────────────────────┐
                │  Trust Zone A: Untrusted public internet │
                │  (worker browser, hospital browser, │
                │   prospective attacker)                  │
                └──────────────────────────────────────────┘
                             │
                             │ TLS 1.3 + WAF
                             ▼
                ┌──────────────────────────────────────────┐
                │  Trust Zone B: Cloudflare + ALB edge     │
                └──────────────────────────────────────────┘
                             │
                             ▼
                ┌──────────────────────────────────────────┐
                │  Trust Zone C: ECS Fargate (FastAPI)     │
                │  IAM-bounded, VPC, no public ingress     │
                └──────────────────────────────────────────┘
                             │
                ┌────────────┼─────────────────────────────┐
                │            │                             │
                ▼            ▼                             ▼
        ┌─────────────┐ ┌─────────────┐         ┌──────────────────────┐
        │  Trust Zone │ │  Trust Zone │         │  Trust Zone F:       │
        │  D: RDS     │ │  E: S3      │         │  Vendor edge         │
        │  Postgres   │ │  Object     │         │  (Anthropic, Persona,│
        │  (private)  │ │  Lock 7yr   │         │  Checkr, NPDB, etc.) │
        └─────────────┘ └─────────────┘         │  BAA-bounded         │
                                                 └──────────────────────┘

2. STRIDE per surface

S: Spoofing

Threat Mitigation Status
Worker spoofing (someone else's credentials uploaded) Persona IAL2 identity binding to credentials LIVE
Hospital user spoofing WorkOS SSO with hospital IdP enforcement LIVE
Admin spoofing Dedicated admin auth + MFA + IP allow-list PARTIAL
API key theft Tokens in AWS Secrets Manager, rotation cadence 90 days LIVE
Vendor webhook spoofing HMAC signature verification on inbound webhooks LIVE (Stripe, Persona, Checkr); TARGET for Nursys
MCP server caller spoofing Bearer token + per-customer tokens LIVE

T: Tampering

Threat Mitigation Status
Audit log tampering Hash-chained append-only + S3 Object Lock COMPLIANCE LIVE
Source receipt tampering Hash-binding to audit log row; S3 versioning LIVE
PHI database column tampering pgcrypto column encryption + DB-level audit PARTIAL (encryption LIVE; DB-level audit logging PARTIAL)
Worker document tampering pre-upload Worker-side risk; mitigation via OCR + cross-source verification LIVE
In-transit tampering TLS 1.3 mandatory LIVE
Backup tampering RDS automated snapshots; S3 Object Lock on audit LIVE

R: Repudiation

Threat Mitigation Status
Hospital denies a privileging decision they made Audit log captures actor + decision + timestamp + hash; HUMAN actor required on every regulated decision LIVE
Worker denies uploading a document Audit log captures upload event + Persona IAL2-bound actor LIVE
Vendor denies a verification result Source receipt captures source name + URL + timestamp + hash LIVE
AI advisory used to claim a human didn't decide Doctrine: AI operates the workflow, source systems prove the facts, humans make every regulated decision; AI advisory referenced but never the actor, human actor field always populated LIVE (architectural rule)
Compliance officer denies BAA change BAA execution events logged in audit chain LIVE

I: Information Disclosure

Threat Mitigation Status
PHI in error logs Sentry scrubbing + CloudWatch scrubbing LIVE
PHI in URL paths URL design avoids PHI in paths; tokenized or worker-slug-based LIVE
Worker A reading worker B's data Worker authentication + per-row access control LIVE
Hospital A reading worker data without consent consent_events table TARGET; workflow-level access control LIVE; full UX TARGET PARTIAL
Vendor data leakage (Sentry, Stripe) PHI never flows to non-BAA vendors LIVE
AI executor leakage Anthropic BAA + ZDR; redaction layer for advisor where required LIVE
MCP tool leakage MCP lookup_rovn_passport tool is zero-PHI by design LIVE
S3 misconfiguration Bucket policies + Object Lock + IAM enforcement LIVE
Internal access IAM least-privilege + role audit logging LIVE

D: Denial of Service

Threat Mitigation Status
Worker-side DDoS on public surface Cloudflare DDoS protection LIVE
API-level DoS AWS WAF basic rules + per-customer rate limiting PARTIAL
Vendor API rate limiting reverify_scheduler.py backoff + retry queue LIVE
Database connection exhaustion RDS instance sizing + connection pool tuning LIVE
Audit log write storm Append-only, bounded by ECS task count LIVE
Verification queue backlog Adapter retry queue + SLA target monitoring PARTIAL

E: Elevation of Privilege

Threat Mitigation Status
Worker promoted to admin RBAC enforced; admin role provisioning requires founder approval LIVE
Hospital user A accessing facility B facility workflow layer tenant boundary in queries; per-row hospital_id filter LIVE
ECS task role abuse Least-privilege IAM policy per task role LIVE
Container escape Fargate isolation; no privileged containers LIVE
SQL injection escalation Parameterized queries via SQLAlchemy / asyncpg; no raw concat LIVE
API token reuse across customers Per-customer tokens; rotation on suspected exposure LIVE
MCP token escalation MCP tool scope is fixed; no token grants broader access LIVE

3. Top residual risks (honest)

  1. consent_events UX not fully shipped. Workflow-level access control covers most paths; user-facing consent surface is TARGET. Mitigation: design-partner pilots run under negotiated BAA terms that cover the gap.
  2. Per-customer rate limiting incomplete. AWS WAF rules are basic. Mitigation: per-source authority cadence already enforced; broader API rate limiting target Q3 2026.
  3. PARTIAL ai_runs coverage. Some executor paths not yet writing to ledger. Mitigation: completion in Months 0-6 roadmap. No external trust impact today because executor BAA is the legal protection layer.
  4. Pentest not yet performed. Mitigation: scheduled Q4 2026. Mitigates by paired Drata SOC 2 Type II evidence in parallel.

4. Threat model review cadence

  • Quarterly review owned by Christian Montgomery (COO), with Abhishek Jha (CTO) on architecture surfaces
  • New surfaces (e.g., EHR integration) trigger ad-hoc threat model addition
  • Engineering-support partner reviews threat model annually

End of threat model.

Ask the AI agent about this section, the raise, compliance posture, or any cross-document question. Grounded in Rōvn's deep context, with on-page source citations.

AI queries route through AWS BedrockAI provider chain07.3 AI Architecture · AWS Bedrock under BAA → Anthropic Claude Haiku 4.5 under BAA → Rōvn ECS under BAA · Anthropic Claude (Haiku 4.5)Model identity07.3 AI Architecture · Haiku 4.5 chosen for cost + latency + BAA chain under BAA · zero-data-retention posture · no PHI in prompts.

Take action Book 30 min with founder Open protected Operator Open Readiness demo Talk to the AI agent Download diligence pack (.zip)
Click and verify Operator (protected) Readiness demo Start Network Wallet Passport API docs Status
ECSrovn-passport-api:336 Imageprod-202606080312-network-first-oneliner Gitprod-network-first-oneliner-2026-06-08 BAAAWS Bedrock (BAA) → Anthropic Claude Haiku 4.5 (BAA) → Rōvn ECS Platform deploy2026-06-08 Room reviewed2026-06-19
LIVE · ECS task def rovn-passport-api:336 · last deploy just deployed · uptime live · passport.rovn.to checking…