Chapter 02 · SecurityHIPAA · SOC 2 in progress

Trust, earned by architecture.

Every design decision starts from a simple question: would a privacy officer approve this before the feature ships? If not, it doesn't.

Core controlsThree defaults
Control · 01Default on

Encryption

AES-256 at rest. TLS 1.3 in transit. No exceptions.

  • Per-tenant key isolation on GCP KMS
  • Encrypted backups with rotation
  • Zero plaintext PHI in logs
Control · 02Default on

Audit logging

Every access to PHI is written, signed, and surfaced to the practice.

  • Immutable logs retained per HIPAA
  • Anomaly detection on access patterns
  • Direct query access for your compliance team
Control · 03Default on

Access controls

Role-based access and hardware-key MFA, scoped to the minimum necessary.

  • RBAC with per-workflow permissions
  • Phishing-resistant MFA for all operators
  • Session timeouts + quarterly access reviews
Operating practicesBeyond the baseline
Infrastructure

Built on GCP with isolation as a first principle.

01

Multi-region failover with 99.9% uptime target

02

DDoS protection at the edge, managed by Google

03

Automated patching on a published cadence

04

Network segmentation and default-deny firewalls

Data protection

PHI is treated as a liability, not a dataset.

01

Daily encrypted backups with tested recovery drills

02

US-only PHI residency by default

03

De-identification pipelines for any analytic workload

04

Retention schedules aligned with each covered entity

Response

We rehearse the bad day before it arrives.

01

Vulnerability scanning at least every six months

02

Annual third-party penetration testing

03

Incident response runbooks with named on-call

04

HIPAA-compliant breach notification workflows

Compliance postureWhere we stand
Status · Live

HIPAA

Business Associate Agreement on request. Administrative, physical, and technical safeguards in production.

Status · In progress

SOC 2

Type II observation window underway. Audit report targeted for 2026.

Status · Ready

GDPR & state laws

Data processing addenda available. CCPA, CPRA, and state-level PHI rules mapped to our controls.

For privacy officers

We'll walk you through the controls, the logs, and the BAA — in one session.

Bring the questions your compliance committee hasn't signed off on yet. Our team includes a clinical privacy lead and a security engineer who ship the platform every day.

Request the security review