Security Is Not a Feature. It's Our Foundation.
Handling protected health information is a responsibility we take seriously. Our platform is built from the ground up with healthcare-grade security and HIPAA compliance.
HIPAA Compliant
ActiveSOC 2 Type II
In ProgressHITRUST CSF
PlannedBAA Available
ActiveHIPAA Compliance
We maintain comprehensive HIPAA compliance across every layer of our platform, from data handling to workforce policies.
- Business Associate Agreements (BAAs) executed with all clients before PHI access
- Strict PHI handling policies with minimum necessary standard enforcement
- Annual workforce training on HIPAA requirements and security awareness
- Documented breach notification procedures with 60-day notification commitment
Data Encryption
Your data is encrypted at every stage, whether in transit across networks or at rest in our databases.
- AES-256 encryption at rest for all data stored in our infrastructure
- TLS 1.3 encryption in transit for all API communications and data transfers
- Column-level encryption for PHI fields (patient names, DOB, SSN) via Supabase Vault
- Encryption keys managed through dedicated key management services, rotated regularly
Access Control
Granular role-based access ensures every user sees only what they need. No more, no less.
- Role-based access control (RBAC) with 6 distinct roles: Admin, CFO, RCM Director, Coder, Auth Specialist, Viewer
- Multi-factor authentication (MFA) enforcement for all user accounts
- Automatic session timeout after 15 minutes of inactivity
- SSO integration via SAML 2.0 and OIDC available on Enterprise tier
Infrastructure Security
Built on enterprise-grade cloud infrastructure with SOC 2 certified providers and US-based data centers.
- Supabase (SOC 2 Type II certified) for database and authentication services
- Vercel (SOC 2 Type II certified) for application hosting and edge functions
- All data centers located within the United States — no data leaves US borders
- DDoS protection and Web Application Firewall (WAF) via Cloudflare
AI Safety & Privacy
Our AI pipeline is designed with privacy at its core. Your patient data is never used to train models.
- Zero PHI retention in AI models — all API calls use zero-data-retention agreements
- No client data is ever used for model training by OpenAI, Anthropic, or any provider
- Minimum necessary PHI principle applied to all AI prompts and context windows
- BAAs executed with all AI model providers (OpenAI, Anthropic)
Audit & Monitoring
Every action is logged, every access is tracked. Complete visibility into who accessed what, when, and why.
- Immutable, append-only audit logs that cannot be modified or deleted
- All PHI access events tracked with user identity, timestamp, IP address, and action type
- Real-time alerting on suspicious access patterns and potential security incidents
- 7-year audit log retention to meet healthcare regulatory requirements
Vendor Security
We hold our vendors to the same security standards we hold ourselves. Every subprocessor is vetted and covered under BAAs.
- Business Associate Agreements with Supabase, Vercel, OpenAI, and Anthropic
- Complete list of subprocessors available upon request
- Vendor security assessments conducted annually
- Immediate notification if any vendor experiences a security incident
Penetration Testing & Vulnerability Management
Proactive security testing ensures vulnerabilities are found and fixed before they become threats.
- Annual third-party penetration testing by independent security firms
- Bug bounty program (planned) to incentivize responsible security research
- Vulnerability disclosure policy for responsible reporting of security issues
- Continuous automated vulnerability scanning across all application layers
Ready to Secure Your Revenue Cycle?
Request our Business Associate Agreement or download our security whitepaper to learn more about how we protect your data.