Purpose
This article explains how Shepherd protects your practice data, including backup frequency, storage methods, and recovery capabilities.
It helps practices understand how patient records, financial data, and documents are continuously secured and what to expect in the event of an outage or recovery scenario.
Overview
We know your practice data is critical: patient records, client information, financial history, documents, and images all live in Shepherd. This article explains how we protect that data, how often it’s backed up, and what recovery looks like if something goes wrong.
The short version: your data is backed up continuously, encrypted at all times, and recoverable to within minutes of any point in the last 30 days.
What Gets Backed Up
Practice Database (Patient Records, Clients, Financials, SOAP Notes, etc.)
This is the core of your practice data, everything you enter into Shepherd day-to-day.
Backup type: Continuous automated backups with daily snapshots
Frequency: Continuous. Every transaction is captured as it happens, with a full snapshot taken daily during an off-peak maintenance window.
Retention: 30 days. We can restore our database to any point in time, generally down to the second, within the last 30 days.
Encryption: All database backups are encrypted at rest using industry-standard AES-256 encryption. Data is also encrypted in transit between your browser and our servers.
Redundancy: Our production databases run in a Multi-AZ (Multiple Availability Zone) configuration. In plain terms, this means an identical copy of your database is maintained in a physically separate data center at all times. If one data center has a hardware failure or outage, the system automatically fails over to the standby copy, typically within seconds, with no data loss.
Additionally, we take manual snapshots before any planned maintenance or system updates as an extra safety measure.
Files & Documents (Images, Attachments, Uploads)
This includes any files you upload to Shepherd: radiographs, lab PDFs, consent forms, photos, documents, and other attachments.
Backup type: Versioned object storage on Amazon S3
Frequency: Every time a file is uploaded or modified, the previous version is automatically preserved.
Retention: File versions are retained indefinitely. If a file is accidentally overwritten, earlier versions can be recovered.
Durability: Your files are stored with 99.999999999% durability (that’s eleven nines). To put that in perspective, if you stored 10 million files, you could statistically expect to lose a single file once every 10,000 years.
Encryption: All files are encrypted at rest and in transit.
Application Servers
The servers that run the Shepherd application are backed up daily and can be restored or rebuilt quickly in the event of a failure.
Backup type: Full server image (AMI) snapshots via AWS Backup
Frequency: Daily
Retention: 10 days
Redundancy: Application servers are distributed across multiple availability zones for high availability.
RPO and RTO - What They Mean and Where We Stand
If you’ve been researching backup and disaster recovery, you may have come across the terms RPO and RTO. Here’s what they mean and how Shepherd stacks up.
RPO - Recovery Point Objective
“How much data could we lose?”
RPO measures the maximum amount of data (in time) that could be lost in a worst-case recovery scenario. An RPO of 1 hour means that in the worst case, you might lose up to 1 hour of work.
Shepherd’s RPO: Minutes.
Because our database backups are continuous (not just nightly), we can restore to within minutes of a failure. If something catastrophic happened at 2:15 PM, we could recover your data up to approximately 2:14 PM or later — not last night’s backup.
RTO - Recovery Time Objective
“How long until we’re back up?”
RTO measures how long it takes to restore service after an outage. This isn’t how long until we notice, our monitoring alerts us to issues within seconds, it’s how long the actual recovery takes.
Shepherd’s RTO: Approximately 120 minutes, depending on the type of failure.
Scenario | Typical Recovery Time |
Single server failure | Seconds to minutes (automatic failover) |
Database availability zone failure | Seconds (automatic Multi-AZ failover) |
Application issue requiring restart | 5–15 minutes |
Full database restore from backup | 30–60 minutes in practice |
Most outages fall into the first two categories, where recovery is automatic and near-instantaneous. A full database restore is rare and represents the outer bound.
Encryption Summary
Layer | At Rest | In Transit |
Database | AES-256 encrypted | TLS encrypted |
File Storage | AES-256 encrypted | TLS encrypted |
Cache | AES-256 encrypted | TLS encrypted |
Application Servers | Encrypted (EBS) | TLS encrypted |
All communication between your browser and Shepherd is encrypted via TLS. All stored data, whether in the database, file storage, or backups, is encrypted at rest.
What Happens During an Outage
Shepherd is a platform, if we’re down, it affects all practices, and bringing the platform back is our top priority. Here’s what a typical incident looks like from our side:
Detection - Automated monitoring detects the issue and alerts our engineering team, usually within seconds.
Assessment - We determine the scope and cause. Automated failover handles most infrastructure failures without human intervention.
Communication - We update our status page so you know what’s happening.
Recovery - Depending on the issue, this may be automatic (failover), quick (restart/redeploy), or more involved (backup restore).
Verification - Before declaring the issue resolved, we verify data integrity and system stability.
Our infrastructure is hosted entirely on Amazon Web Services (AWS), one of the world’s largest and most reliable cloud platforms, in a dedicated region with multiple physically separated data centers.
Frequently Asked Questions
Can I request a backup of my data?
If you need an export of your practice data, that’s a separate process from our system backups. Please contact support and we’ll walk you through your options.
How do I know backups are actually working?
Our automated monitoring continuously verifies backup health. Backup failures trigger immediate alerts to our engineering team. We also take manual pre-maintenance snapshots as an additional safeguard.
Is my data isolated from other practices?
Yes. Each practice’s data is logically isolated within our database architecture. One practice cannot access another practice’s data.
What about ransomware or security incidents?
Because our backups are managed by AWS and are separate from the application servers, a compromise of the application layer would not affect our ability to restore from backups. Our 30-day retention window gives us a wide range of clean restore points.
Do you test your backups?
Yes. Database restores are performed as part of routine operations (e.g., creating QA/staging environments from production snapshots), which continuously validates that our backups are functional and complete.