HIPAA
Technical, administrative, and physical safeguards aligned with the HIPAA Security Rule. Business Associate Agreements available for every customer practice.
Aligned
Built for HIPAA. Engineered for audit.
Practice data is governed by formal compliance controls, end-to-end encryption, role-scoped access enforcement, and audit logging at every operational tier. Documentation is provided to customer compliance teams on request.
HIPAA-alignedSOC 2 in preparationBAA on request
Formal controls, audit-ready documentation.
SOC 2 Type II
Preparing for SOC 2 certification. Current control attestation and trust-services criteria mapping are available to prospective customers on request.
In preparation
Audit ready
Activity logs, access trails, configuration changes, and compliance documentation exported in audit-ready formats. Retention windows configurable per customer agreement.
Available
Encryption, isolation, and lifecycle controls.
01 · ENCRYPTION AT REST
AES-256 across all customer data stores.
Practice data, attached documents, and audit records are encrypted at rest with AES-256 and per-tenant key derivation. Keys rotate on a documented cadence.
02 · ENCRYPTION IN TRANSIT
TLS 1.3 enforced for all customer traffic.
Browser, integration, and inter-service traffic is TLS 1.3. Older TLS versions are rejected at the gateway, and HSTS is preloaded.
03 · LOGICAL ISOLATION
Per-tenant logical isolation by default.
Every customer practice operates with logical isolation in shared infrastructure. Dedicated tenancy is available for enterprise practice groups on request.
04 · LIFECYCLE GOVERNANCE
Retention, export, and deletion on contract terms.
Retention windows, export formats, and deletion timelines are configured to the customer agreement. End-of-contract data return and destruction are documented.
Authentication, authorization, and audit.
AUTHENTICATION
Enterprise SSO with OIDC.
OIDC integration with the customer’s identity provider. Multi-factor authentication is enforced for administrative roles by default.
AUTHORIZATION
Role-scoped access bindings.
Granular role and scope bindings are managed at the operations tier. Page-level and capability-level access is enforced at the gateway, not in the browser.
AUDIT
Every state mutation logged.
Actor, timestamp, source, and outcome are captured for every state-changing operation. Logs are retained per customer agreement and exported in standard formats.
Request the full security packet.
Customer compliance teams receive the security overview, BAA template, SOC 2 readiness status, and incident-response runbook on request.