Enterprise-grade security,
from day one
Your patients' data deserves the highest standard of protection. Here's how we deliver it.
HIPAA Compliant
Full compliance with HIPAA Privacy, Security, and Breach Notification Rules. Annual risk assessments and employee training.
SOC 2 Type II
Independent third-party audit of our security controls covering availability, confidentiality, and processing integrity.
BAA Available
Business Associate Agreement available for all plans. We sign your BAA within 24 hours of request.
AES-256 Encryption
All data encrypted at rest using AES-256 and in transit using TLS 1.3. PHI receives additional column-level pgcrypto encryption.
Security controls in depth
Authentication & Access
- Multi-factor authentication (TOTP)
- Role-based access control (9 role types)
- Account lockout after failed attempts
- JWT tokens with short expiry + rotation
- Rate limiting on all endpoints
Data Protection
- PHI encrypted at column level (pgcrypto)
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Encrypted database backups
- Automatic key rotation
Monitoring & Audit
- Complete audit trail on all PHI access
- Real-time security event monitoring
- Access logs with IP, user, and action
- Automated anomaly detection
- Regular penetration testing
Infrastructure
- U.S.-based data centers
- Network isolation and firewalls
- Automated vulnerability scanning
- Disaster recovery and business continuity
- Regular security patching
9 role types for granular access
Every user sees only what they need. Nothing more.
Super Admin
Platform-level administration
Org Admin
Organization management
Department Head
Department oversight
Clinician
Full clinical access
Nurse
Clinical support access
Medical Assistant
Limited clinical access
Billing Specialist
Billing & coding access
Receptionist
Scheduling & patient intake
Read-Only Colleague
View-only access
Questions about security?
We're happy to walk through our security posture, provide audit reports, or sign your BAA.