Built for healthcare. Secured like healthcare.
We handle PHI with the same rigor we apply to our models. HIPAA-compliant infrastructure, encryption at every layer, and a security posture designed for the most demanding health systems.
HIPAA Compliant
Active
BAA Available
Standard
SOC 2 Type II
In Progress
256-bit Encryption
Active
Compliance Framework
Our security program is designed around healthcare regulatory requirements and enterprise expectations.
HIPAA Compliance
Fully Compliant- Administrative, physical, and technical safeguards implemented
- Business Associate Agreements executed with all partners
- Regular risk assessments and security audits
- Workforce training and access controls
SOC 2 Type II
Audit in Progress- Security controls implemented and documented
- Availability and confidentiality trust principles
- Type II audit observation period (Q3 2026 completion)
- Report available upon completion
Technical Security Controls
Defense in depth across infrastructure, application, and data layers.
Data Encryption
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Field-level encryption for PHI
- Secure key management (AWS KMS)
Access Control
- Role-based access control (RBAC)
- Multi-factor authentication required
- Principle of least privilege
- Audit logging for all access
Infrastructure
- SOC 2 certified cloud providers
- Private network isolation (VPC)
- Automated vulnerability scanning
- 24/7 infrastructure monitoring
Monitoring & Detection
- Real-time security monitoring
- Intrusion detection systems
- Anomaly detection and alerting
- Security incident response plan
Network Security
- Web Application Firewall (WAF)
- DDoS protection
- API rate limiting
- IP allowlisting available
Organizational
- Background checks for all employees
- Annual security training
- Vendor security assessments
- Documented security policies
How We Handle Your Data
We believe in data minimization and purpose limitation. We only collect what we need, use it only for its intended purpose, and protect it with enterprise-grade security.
Data Minimization
We only ingest the specific EHR fields required for risk prediction
Purpose Limitation
PHI is used solely for generating risk scores, never for other purposes
Retention Limits
Data retained only as long as needed, with automated purging
No Data Selling
We never sell, share, or use your data for training external models
Data Flow Architecture
EHR Integration
Secure API or sFTP connection
Encrypted Transit
TLS 1.3 with certificate pinning
Secure Processing
Isolated compute environment
Risk Score Delivery
Secure API response to your system
Business Associate Agreement
We execute BAAs with all healthcare partners before any PHI exchange. Our standard BAA is designed for enterprise health systems and includes breach notification commitments, subcontractor requirements, and termination provisions.
Request BAA TemplateSecurity FAQ
Where is data hosted?
All data is hosted in SOC 2 certified data centers within the United States. We use AWS with HIPAA-eligible services and execute a BAA with all infrastructure providers.
How do you handle breach notification?
We maintain a documented incident response plan with notification within 24 hours of discovery for suspected breaches. Full details are included in our BAA.
Can you support on-premise deployment?
We offer cloud-hosted deployment with private network connectivity. For organizations requiring on-premise deployment, please contact us to discuss requirements.
What third parties have access to our data?
Only our core infrastructure providers (AWS) and essential SaaS tools with executed BAAs. We do not share data with any analytics, marketing, or AI training services.
How often do you conduct security assessments?
We perform continuous automated vulnerability scanning, quarterly penetration testing by third parties, and annual comprehensive security audits.
Ready to Review Our Security Posture?
We provide detailed security documentation, penetration test summaries, and architecture diagrams to your security team.