Choosing between Convex vs AWS for a HIPAA-compliant healthcare app is a decision framework, not a verdict on which platform is better engineered. The backend you pick is three commitments at once: a compliance posture, a cost structure, and a scalability ceiling.
Get the match wrong and the failure shows up in one of a few shapes. You re-platform under pressure when an enterprise health-system customer’s security review surfaces requirements your stack can’t meet. You open a bill that runs several times what you modeled. Or you discover a gap in your business associate agreement chain the week before that same review, with no time to close it.
AWS is still the default for healthcare, holding roughly a quarter of cloud infrastructure and covering well over a hundred HIPAA-eligible services. Convex is the developer-loved newcomer, now with an open-source backend, but its healthcare compliance story is younger.
Neither fact settles your decision. Convex is genuinely right for some clinical use cases and genuinely wrong for others. AWS is right for most enterprise health-system deployments but carries configuration complexity and DevOps cost that early teams routinely underestimate. At its core it’s a startup vs enterprise call, and this piece is the framework for telling which situation is yours.
Should I use Convex or AWS for a HIPAA-compliant healthcare app?
Use Convex if you’re a small team building consumer health, real-time care coordination, or telehealth at mid-scale and want zero DevOps; it signs a BAA on Professional and above. Choose AWS if you need FHIR or EHR integration, enterprise health-system deployment, FDA-regulated SaMD, or high-volume continuous clinical data. Match the platform to your clinical use case and data volume, not to which one is technically better.
Key takeaways
- The question to answer is which set of tradeoffs fits your customers, your team’s DevOps capacity, and your clinical data volume. Technical quality isn’t the deciding axis.
- Convex suits small teams shipping consumer or care-coordination products at mid-scale, plus real-time tools where zero DevOps and shipping speed matter most. AWS suits products headed into enterprise health-system procurement, FHIR and EHR integration, high-volume continuous clinical data, or FDA-regulated software as a medical device.
- The expensive mistake is choosing Convex for a use case that will eventually require enterprise health-system deployment, then re-platforming after the first sales cycle. Model cost at your real data volume and match the platform to the clinical use case before writing infrastructure code.
- Convex and AWS aren’t the same category, and that decides everything else
- Convex vs AWS, scored on the dimensions a clinical app actually needs
- The compliance delta: what each platform leaves you to build
- Convex wins on cost until your data volume crosses a line
- Where Convex is the right call for a healthcare app
- Where AWS is the right call for a healthcare app
- The decision framework: score yourself against both columns
- Why healthcare teams bring this decision to Topflight
Convex and AWS aren’t the same category, and that decides everything else
Most of the confusion in this comparison comes from treating Convex and AWS as competing options on the same shelf. They aren’t. They sit at different layers of the stack, and that gap shapes every choice that follows about your healthcare app backend infrastructure.
Convex is a fully managed, opinionated backend
One system gives you a Convex database, Convex serverless functions, file storage, scheduling, and reactive real-time subscriptions, all written in TypeScript. This is backend as a service taken to its logical end: a full-stack platform where you don’t provision a serverless database or maintain infrastructure-as-code for the Convex layer, and the pieces come wired together instead of needing glue.
The data model is document-based rather than SQL, which shapes how you express a clinical data model, transactions are ACID, and the platform is deliberately prescriptive: the team that built it made the hard backend decisions so you don’t have to. One detail matters for the rest of this comparison: Convex runs on AWS under the hood, so you’re on AWS infrastructure either way, just abstracted behind a managed backend.
AWS is a general-purpose cloud
It offers more than a hundred HIPAA-eligible services, and a healthcare app is assembled from the constituent parts: RDS or DynamoDB for data, Lambda or ECS for compute, Cognito for auth, SNS or SQS for messaging and queues, CloudTrail for audit logging, KMS for keys, HealthLake for FHIR. AWS hands you components and the AWS Well-Architected Framework to reason about them. You supply the architecture, the configuration, and the integration.
That difference is the classic build versus buy split. Convex gives you velocity and zero operations at the cost of an opinionated, proprietary data model. AWS gives you flexibility and enterprise depth at the cost of configuration complexity and a compliance responsibility you share rather than hand off. This single distinction cascades through everything downstream:
- your compliance model,
- your cost structure,
- your scalability ceiling,
- your path to EHR integration,
- and the size and shape of the team you need to run it.
Whether you’re weighing HIPAA compliant app development for a consumer product or full-scale healthcare app development for hospital networks, this is the fork that frames the rest.
Convex vs AWS, scored on the dimensions a clinical app actually needs
The matrix below scores both platforms on the dimensions that decide whether a clinical app ships, passes review, and stays affordable. Generic developer-experience points sit this one out. Whether Convex is HIPAA compliant enough for your build depends less on any single row than on which rows are load-bearing for your use case.
| Dimension | Convex | AWS | Healthcare verdict |
| BAA availability | Included on Professional and above ($25/dev/mo); Free and Starter exclude it | Free, self-service via AWS Artifact, covering 150+ HIPAA-eligible services | Both sign a BAA; AWS covers far more surface, Convex gates it behind a paid tier |
| BAA coverage specificity | Covers the Convex platform only; third-party services need their own BAAs | Covers eligible services used in designated HIPAA accounts, not your config | Neither covers your application layer; scope the chain yourself |
| Encryption at rest | AES-256, per-customer DB isolation | KMS, customer-managed keys available | Parity on the basics; AWS exposes key custody you control |
| Audit logging | Standard built-in on Professional; custom SIEM-integrated on Business and Enterprise | CloudTrail, fully configurable, exportable | AWS wins where auditors expect field-level, exportable trails |
| Access controls | Function-level auth in TypeScript | IAM, fine-grained and role-based | AWS for complex clinical RBAC; Convex simpler but coarser |
| FHIR / EHR integration | No native FHIR or HL7; build it on the document model | HealthLake (native FHIR R4, SMART on FHIR) | AWS is the clear choice for anything FHIR-bound |
| Real-time subscriptions | Reactive queries, best-in-class, no extra infrastructure | AppSync or API Gateway with websockets, assembled and managed | Convex wins decisively for live multi-client clinical UIs |
| Scalability ceiling | High, but metering scales with data access | Effectively unbounded with reserved capacity | AWS for high-volume continuous data; Convex fine at mid-scale |
| DevOps overhead | Near zero; no infrastructure to operate | Substantial; you architect, configure, and maintain | Convex for teams without dedicated DevOps |
| Cost model | Per-seat ($25/dev/mo) plus metered overage on function calls, DB I/O, and egress | Pay-per-use (DynamoDB reads/writes, Lambda, storage) with reserved-capacity discounts | Convex cheaper at mid-scale; AWS optimizable at high volume |
| Vendor lock-in | Moderate to high; opinionated model, but the backend is open-source and self-hostable | Low to moderate; portable patterns, deep service coupling in practice | Convex’s open-source backend is a real lock-in hedge |
Use this as the map; the compliance and cost deep-dives below are where the consequential rows get their full treatment.
The compliance delta: what each platform leaves you to build
The phrase “HIPAA compliant” describes a platform’s capabilities. Your application is a separate question. Both Convex and AWS give you compliant building blocks; neither makes your app compliant on its own.
The gap between what the platform handles and what it leaves to you is where most teams underestimate the work, so here is the delta laid out in four quadrants. If you want the full architectural treatment, our guide to HIPAA compliant software development goes deeper than this comparison can.
What Convex handles for you
On the infrastructure side, Convex covers the fundamentals: AES-256 encryption at rest, encryption in transit via TLS, infrastructure hardening, backups, per-customer database isolation, baseline access controls, and SOC 2 Type II attestation.
Sign the platform-level business associate agreement (BAA), available on Professional and above, and Convex’s own obligations as a business associate are covered. Whether Convex is HIPAA-ready at the infrastructure layer is not in question; that part is solid.
What Convex leaves to you
This quadrant is where the real scope hides. Convex logs function calls, not row-level or field-level protected health information (PHI) access, so the field-level audit trail that the HIPAA Security Rule expects under 45 CFR 164.312(b) is yours to build.
So are separate BAAs for every third-party service that touches PHI:
- an auth provider like Clerk or Auth0,
- messaging through Twilio or SendGrid,
- any document-AI vendor.
FHIR compliance is yours, because there’s no native FHIR. Minimum-necessary access enforcement at the data layer, plus emergency break-glass access, are application-layer controls Convex doesn’t provide. None of this is a knock on the platform; it’s simply the boundary of what a managed backend can own.
What AWS handles, with correct configuration
Configured properly, AWS gives you:
- CloudTrail for audit logging,
- KMS with customer-managed keys,
- VPC isolation,
- IAM role-based access,
- and HealthLake for FHIR R4.
The capabilities are enterprise-grade and demonstrable to auditors. The operative words are “with correct configuration.”
What AWS leaves to you
Default settings are not compliant, and a misconfigured S3 bucket, IAM policy, or RDS instance lands on you as a HIPAA problem. Amazon doesn’t own that. That’s the shared responsibility model in practice.
You also own BAA chain management: the BAA covers eligible services only, and several common ones are not eligible, including Lightsail, Amplify, and Chime. Trickier still are feature-level exclusions on otherwise-eligible services, where a specific capability like SageMaker Studio Lab or Ground Truth Plus sits outside the covered scope.
The HIPAA Privacy Rule duties of minimum-necessary, consent, and patient rights, plus break-glass access and breach notification, remain yours regardless of how well the infrastructure is configured.
Builder Alert: Before production, audit your full PHI data flow against the current HIPAA-eligible services list, service by service. The list changes, so verify each one rather than trusting a list you saw last year, and watch for feature-level exclusions on services you assume are covered. The same discipline applies to any AI you add to the stack: our notes on ChatGPT HIPAA compliance and the broader picture of AI in healthcare compliance cover where those services fall.
Convex wins on cost until your data volume crosses a line
Cost comparisons between these platforms usually fail in one of two ways: they bill Convex as if it charged per query, which it doesn’t, or they compare raw infrastructure and ignore the DevOps labor that dominates the real total. Here’s the corrected picture for a Convex backend for a healthcare app, modeled at a concrete scale and including the cost that actually moves the number.
Mid-Scale (5,000 Patients): Convex wins, and it’s mostly DevOps
Take a mid-scale clinical app: 5,000 active patients at roughly 200 reads and 20 writes each per day, which works out to about 30 million reads and 3 million writes a month, or around 33 million function calls. That’s a real product, not a toy.
Convex doesn’t charge per query. You pay per developer seat at $25 a month, and metered overage only kicks in when you exceed generous included allotments on function calls, database I/O, and egress; query and mutation compute is free.
One nuance worth internalizing: Convex bills function calls and I/O, not document reads, so a query that reads many documents in one invocation costs the same as one that reads a few. Your cost tracks how you design queries. Raw data volume isn’t the driver.
At this scale, the numbers are almost anticlimactic.
| Line | Convex (Professional) | AWS |
| Platform / infrastructure | ~$40-115/mo all-in (seats + light overage) | ~$120-330/mo (DynamoDB at $0.25/M reads, $1.25/M writes; Lambda; S3; Cognito; CloudTrail; KMS) |
| DevOps labor | ~$0 (no infrastructure to operate) | ~$2,000-5,000/mo (roughly one day a week of infra engineering) |
| Total cost of ownership | ~$40-115/mo | ~$2,100-5,300/mo |
Convex wins decisively, but read where the gap comes from: it’s almost entirely DevOps labor, and that labor, not raw cloud infrastructure cost, is what you’re really paying for with a Convex backend. Healthcare teams at startup scale feel this most, where one infra hire dwarfs the platform bill and the infra cost itself stays a rounding error under both options.
The question to answer is whether you’d rather pay for DevOps or accept metering and a more opinionated platform. “Which is cheaper to run” is the wrong axis at this scale. Modeling this alongside your full healthcare app development cost is what turns the comparison into a decision.
High volume (25,000+ on continuous data): where AWS takes over
Now change one variable: data access frequency. At 25,000 patients streaming continuous sensor data to care teams, alert systems, and patient apps, function-call volume climbs toward 1.5 billion a month, with thousands of concurrent users hitting the backend at peak.
This is where Convex pricing stops being a rounding error: its linear metering follows that volume up, into the low thousands a month and rising as you grow. AWS, meanwhile, turns infrastructure scaling into a lever you control, letting you switch from on-demand to reserved capacity and hold platform cost in the low hundreds. The lines cross, and past the crossover AWS is several times cheaper.
Builder Alert: Model your read, write, and function-call volumes before you commit. Convex’s metering scales linearly with clinical data access, so a high-frequency continuous-data product like remote patient monitoring app development can flip the economics from “Convex is trivially cheap” to “AWS is the only sane choice.” The crossover is real; find where yours sits.
Where Convex is the right call for a healthcare app
Convex is right for healthcare in specific places and wrong in others, and the others are mostly in the next section. These four use cases are where its strengths line up cleanly with what you’re building.
Early-stage consumer health and wellness
Fitness tracking, meditation, sleep, nutrition: if the product doesn’t touch clinical PHI, the HIPAA question mostly recedes, and Convex’s reactive subscriptions shine for live activity feeds and social features. A two- or three-person team can ship a polished app without anyone owning infrastructure.
The compliance posture stays light precisely because the data is, and that’s the point. As the product matures toward clinical features, planning your SOC 2 healthcare startups path early keeps that transition from becoming a scramble.
Real-time care coordination dashboards
This is where Convex is genuinely best-in-class. Nurse communication tools, patient-flow boards, care-team messaging: all of them need live updates pushed to many clients at once, and Convex’s reactive queries deliver exactly that with no WebSocket infrastructure to stand up or maintain.
For a real-time healthcare backend serving real-time clinical data to dozens of screens, you’d otherwise be assembling and operating that layer yourself on AWS. The platform BAA on Professional and above covers the PHI flowing through it, so the compliance basics are handled while you focus on the product.
Telehealth scheduling and patient engagement
Convex works beautifully as the application layer of a telehealth backend or a patient portal, handling scheduling, messaging, and session coordination with the responsiveness patients expect. The constraint is the boundary: Convex is not your structured clinical-record layer. Keep the medical record in a dedicated FHIR store or the EHR, let Convex own the engagement and coordination around it, and the split plays to each system’s strengths.
Prototype and pre-revenue
When you’re racing to a demo, Convex’s zero-infrastructure-config setup is a real time-to-market advantage; you’re building features on day one instead of provisioning a stack.
The honest caveat: if enterprise health-system customers are on your roadmap, build with eventual re-architecture in mind rather than assuming this stack ships to production at every scale. A fast prototype is an asset right up until someone mistakes it for the final architecture, which is exactly how the re-platforming trap springs.
Where AWS is the right call for a healthcare app
These four use cases share a pattern: each one needs control, integration depth, or scale economics that a managed platform can’t expose. This is where AWS HIPAA compliant healthcare infrastructure earns its configuration cost.
Enterprise health-system deployments
Hospitals and health systems already run on AWS, and their security reviews are calibrated to it. They’ll ask about:
- data residency,
- VPC isolation,
- customer-managed keys,
- and audit-log export,
and they’ll expect concrete answers backed by a control surface they can inspect. Convex’s managed infrastructure deliberately abstracts that surface away, which is a feature for small teams and a dealbreaker here. If selling into enterprise health systems is the plan, AWS is the default, full stop.
FHIR-integrated clinical applications
Anything that stores, exchanges, or validates clinical data in FHIR belongs on AWS, where HealthLake provides a native FHIR R4 datastore and healthcare API surface with SMART on FHIR support and, more recently, a CCDA-to-FHIR transformation agent. Build the same FHIR layer on Convex’s document model and you erase the velocity advantage that made Convex attractive in the first place.
The pressure here is regulatory on top of technical: CMS-0057-F, ONC HTI-1, and the 21st Century Cures Act are pushing FHIR from nice-to-have to requirement. If your roadmap includes how to integrate with Epic EHR or you’re tracking how will AI help change EHR workflows, this is the layer that decides the platform.
High-volume clinical data workloads
Remote patient monitoring, genomics, population health, clinical-trial pipelines: these generate continuous, high-frequency data, and that’s exactly where per-resource metering turns expensive.
Past roughly 25,000 to 50,000 patients on continuous data, AWS reserved capacity holds cost flat while a metered model climbs linearly, the crossover detailed in the cost section above. When the data volume is the product, the scalable healthcare infrastructure that lets you reserve capacity is the one that stays affordable.
Regulated SaMD under FDA oversight
Software as a medical device raises the bar on demonstrable control. You need customer-managed keys, complete audit trails, defined data residency, and the ability to show an auditor exactly how each control is enforced. Managed infrastructure doesn’t expose that control surface, and you can’t demonstrate what you can’t configure. For teams navigating health AI FDA clearance, that auditability is the price of admission.
The decision framework: score yourself against both columns
You’ve seen the analysis. Here’s the score-yourself version. Run your situation against both lists; the reasoning behind each line lives in the sections above.
Choose Convex If
Choose Convex when all of these are true:
- Your team is under 10 engineers with no dedicated DevOps.
- Your customers are consumers or small practices, not enterprise health systems with their own security review.
- Real-time delivery is a core product feature.
- No FHIR R4 storage or EHR write-back is in your initial scope.
- Patient volume sits below roughly 20,000 at moderate read frequency.
- You’ve reviewed Convex’s BAA (Professional and above) and confirmed it covers your PHI flow.
Choose AWS If
Choose AWS when any of these is true:
- Your customers are enterprise health systems, hospital networks, or large groups with formal security review.
- You must store, exchange, or validate FHIR R4, or integrate EHR APIs.
- You’re building software as a medical device under FDA oversight.
- Clinical data volume will exceed roughly 20,000 patients on continuous data.
- The product must deploy inside a customer’s AWS environment or VPC.
- You have dedicated DevOps, or you’ll hire it.
The asymmetry is deliberate: Convex needs every box checked, AWS needs only one. A single hard enterprise, FHIR, FDA, or volume requirement is enough to settle the platform, no matter how well the Convex column otherwise fits.
Why healthcare teams bring this decision to Topflight Apps
Topflight builds HIPAA-compliant healthcare apps on both Convex and AWS, so the recommendation comes from your product requirements, customer profile, and team capacity. No preferred-vendor relationship tilts it. That’s what these engagements typically cover:
- HIPAA compliance architecture: BAA chain assessment, PHI data flow mapping, AWS compliance configuration, and Convex BAA scope review.
- AWS healthcare infrastructure: HealthLake FHIR, Cognito authentication, CloudTrail audit logging, and VPC isolation.
- Convex healthcare builds: application-layer HIPAA controls, real-time clinical dashboards, and compliance documentation.
- Total cost of ownership modeling: the real number at your patient volume, DevOps included.
- EHR integration: FHIR R4, SMART on FHIR, and Epic and Cerner connectivity.
The two moves that prevent the expensive mistakes are the same two that opened this piece. Model the total cost of ownership at your expected scale, and map the compliance configuration delta, before you commit to an infrastructure path and start building a HIPAA compliant backend for a healthcare app.
Get those right and the platform choice stops being a gamble and becomes what it should be: a decision you can defend.
Frequently Asked Questions
Is Convex HIPAA compliant, and does it sign a BAA?
Yes. Convex signs a business associate agreement on its Professional plan and above, priced at $25 per developer per month. The Free and Starter tiers do not include a BAA, so you cannot process PHI on them. Signing the BAA covers Convex’s platform obligations, not your application-layer controls.
Can you build a fully HIPAA-compliant clinical app on Convex alone?
For some workloads, yes. But several pieces are yours to build: FHIR support, field-level audit trails, clinical role-based access control, and emergency break-glass access aren’t provided natively. Convex handles the infrastructure layer; you own the clinical compliance logic on top of it.
What AWS services are HIPAA-eligible?
Roughly 150 to 166 services as of 2026, and the list changes regularly. The BAA is free and self-service through AWS Artifact, but it covers eligible services only. Always verify the current list and check for feature-level exclusions on services you assume are covered.
Is Convex cheaper than AWS for a healthcare app?
At mid-scale, yes, mostly because there’s no DevOps labor cost. AWS wins at high continuous-data volume, where Convex’s per-resource metering scales linearly while AWS reserved capacity stays flat. The crossover depends on your data access frequency, so model it at your real volume.
Can Convex handle FHIR data for EHR integration?
Not natively. Convex has no built-in FHIR or HL7 support, so you’d build that layer yourself on its document model. If FHIR is central to your product, AWS HealthLake is the native option built for it.