Compliance
HIPAA-aligned. Audit-ready. Honest about where we are.
We publish our compliance posture transparently — what's available today, what's in progress, and what's on our roadmap.
Compliance status
BAA available
Signed before any production access
SOC 2 Type II
Type I report Q3 — Type II observation window underway
HIPAA Security & Privacy Rule
Architecture aligned; controls described above
HITRUST CSF
Targeting r2 certification in next 18 months
GDPR / DPA
Data Processing Addendum available on request
Administrative safeguards
- Designated Security Officer and Privacy Officer
- Annual workforce HIPAA training, tracked
- Incident response runbook with 60-day breach notification process
- Risk analysis updated at least annually and on material change
- Subcontractor BAAs in place before any PHI access
Physical safeguards
- All compute hosted in SOC 2 Type II / ISO 27001 / HITRUST data centers
- No production access from physical premises
- Workstation policy enforced via MDM for any workforce member with access
Technical safeguards
- Unique user IDs, MFA, automatic session timeout, emergency access procedures
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Tamper-evident audit logging for create/read/update/delete on PHI
- Integrity checks on PHI records
- Per-tenant data isolation enforced at the database layer
Need our compliance package?
We can provide our SOC 2 progress letter, BAA template, security questionnaire responses, and architecture documentation under NDA.
Email [email protected]