End Users
👤
Clinical Users
Study Managers, Data Managers, Biospecimen Coordinators
Browser-based access (React SPA)
🔐
Admin Users
System Administrators, IT Security
User management via Cognito console
🔗
Enterprise SSO
Federated via Cognito
Auth0, Okta, Azure AD, ADFS
SAML 2.0 / OIDC
Edge / CDN
☁️
Cloudflare CDN
SSL/TLS termination at edge
Global CDN & DDoS protection
Origin: HTTPS :443
TLS TERMINATED
🔒
Cloudflare SSL
Domain: *.specigen.bio
Universal SSL certificate
Full (Strict) mode enabled
MANAGED CERT
🌐
Cloudflare DNS
*.specigen.bio
Proxied A/CNAME → EC2 origin
Authoritative DNS
AMAZON VPC — PRIVATE NETWORK
Compute Layer
⚙️
Amazon EC2 Instance
t4g (ARM/Graviton) • Private subnet • IAM Instance Profile • Security Group: restricted ingress/egress
📂
Nginx (Reverse Proxy)
TLS termination (port 443)
Serves React SPA (static build)
Proxies /api/* → localhost:8080
Gzip compression enabled
☕
Spring Boot Application
Port: 8080 Context: /api
Java 17+ runtime
HikariCP connection pool (5-20)
Flyway DB migrations
JDBC/SSL (port 5432, TLS)
Data Layer
🗃
Amazon RDS (PostgreSQL)
Engine: PostgreSQL 15
Instance: t4g (ARM/Graviton)
Private subnet — not publicly accessible
Automated backups enabled
ENCRYPTED AT REST (KMS)
ENCRYPTED IN TRANSIT (TLS)
📦
Amazon S3
Uploads Bucket
File uploads (CSV, Excel, PDF, SAS)
Deployments Bucket
Build artifacts & deployment packages
SSE-S3 (AES-256)
HTTPS IN TRANSIT
↑ EC2 calls via HTTPS ↓
Security, Identity & Secrets — called by EC2
🔐
Amazon Cognito
User Pool with password policy
Auth: Email + Password
Hosted UI with custom domain
OAuth 2.0 / OIDC flows
HTTPS
🔗
SSO Federation (via Cognito)
Cognito as federation broker
SAML 2.0 identity providers:
• Auth0
• Okta
• Azure Active Directory
• ADFS / On-prem LDAP
SAML 2.0 / OIDC
🔑
AWS Secrets Manager
Database credentials
Cognito configuration
S3 storage configuration
API keys (OpenAI, integrations)
Automatic rotation capable
ACTIVE
🔏
AWS KMS
RDS encryption key
S3 encryption key
Secrets Manager encryption
AWS-managed, auto-rotating
ACTIVE
HTTPS | EC2 outbound API calls
External Services
🤖
OpenAI API
Ask SpeciGen query processing
Reconciliation intelligence
Anomaly classification
HTTPS
📈
Analytics (Future)
Tableau / Spotfire integration
Embedded dashboards
Export: CSV, Excel, PDF
PLANNED
📧
EDC Systems (Future)
Medidata Rave, Veeva Vault, REDCap
Direct API integration
Currently: file-based import
PLANNED
🔒 Encryption Status — HIPAA Compliance Matrix
| Connection |
In Transit |
At Rest |
Protocol |
Status |
| User ↔ Cloudflare |
✓ Encrypted |
N/A |
TLS 1.2+ |
COMPLIANT |
| Cloudflare ↔ EC2 (Nginx) |
✓ Encrypted |
N/A |
HTTPS :443 |
COMPLIANT |
| EC2 ↔ RDS (PostgreSQL) |
✓ Encrypted |
✓ KMS (AES-256) |
JDBC/SSL :5432 |
COMPLIANT |
| EC2 ↔ S3 |
✓ Encrypted |
✓ SSE-S3 (AES-256) |
HTTPS |
COMPLIANT |
| EC2 ↔ Cognito |
✓ Encrypted |
N/A |
HTTPS |
COMPLIANT |
| EC2 ↔ Secrets Manager |
✓ Encrypted |
✓ KMS |
HTTPS |
COMPLIANT |
| EC2 ↔ OpenAI API |
✓ Encrypted |
N/A |
HTTPS |
COMPLIANT |
| Cognito ↔ IdPs (SAML) |
✓ Encrypted |
N/A |
SAML 2.0 / HTTPS |
COMPLIANT |
📋 HIPAA Security Rule — Key Controls
- ✓ Encryption in transit — all connections TLS 1.2+
- ✓ Encryption at rest — RDS (KMS), S3 (SSE-S3)
- ✓ End-to-end encryption — Cloudflare → Nginx → RDS
- ✓ Secrets Manager — credentials managed, no plaintext on disk
- ✓ Authentication — Cognito with password policy
- ✓ SAML 2.0 federation — Enterprise SSO via Auth0
- ✓ Role-based access control (RBAC)
- ✓ Audit logging — all user actions timestamped & attributed
- ✓ 21 CFR Part 11 — e-signatures, audit trails
- ✓ VPC isolation — RDS not publicly accessible
- ✓ Security groups — restricted inbound/outbound
- ✓ IAM instance profile — no static credentials on EC2
- ✓ KMS key management — AWS-managed encryption keys
Legend
COMPLIANT Encrypted & secure
SpeciGen Platform Architecture — Confidential
February 2026