HIPAA
liveHIPAA-aligned pipeline with PHI classified at intake and audit-trailed end-to-end.
Built on AWS, with PHI classified at intake and audit-trailed end-to-end. We publish what we promise — anything labelled "ready" or "on request" below is a real commitment, not a marketing posture.
HIPAA-aligned pipeline with PHI classified at intake and audit-trailed end-to-end.
Mutually-signed Business Associate Agreement available on request before any PHI flows.
Data Processing Addendum for firms with GDPR exposure or formal procurement requirements.
SOC 2 ready posture — controls in place, evidence collection running, audit on the roadmap.
Information security management aligned with ISO 27001 controls.
Annual third-party penetration test commitment baked into Enterprise contracts.
All client data — intake submissions, dossiers, documents — is encrypted at rest with AES-256 under AWS KMS-managed keys, and in transit over TLS 1.3. Keys are rotated on AWS's schedule; Enterprise customers can bring their own.
Documents (medical records, ER reports, claim files) upload directly to S3 via pre-signed URLs. The app server never sees the bytes. PHI is classified at intake and routed to a separately-bucketed medical_records store with stricter IAM.
Production runs on AWS App Runner backed by RDS in a private subnet. Least-privilege IAM throughout; no public database endpoints. Enterprise customers can opt into a VPC-isolated deploy in their own account.
We use Claude (Anthropic), GPT (OpenAI) and Gemini (Google) with zero-retention agreements. Enterprise customers can supply their own AWS Bedrock, Azure OpenAI and Vertex keys — all inference then routes through their accounts, and we never see the prompt or response.
Every access to a dossier, every score, every export is audit-logged. CloudTrail receipts available on request. Receipts pair with our Receipts feature on the product side — every score carries its evidence and provenance.
Single sign-on via SAML or OIDC, SCIM provisioning for user lifecycle, MFA enforced. Available at the Enterprise tier; Growth and Professional get standard JWT auth with password + TOTP.
Subprocessor list, data flow diagrams, retention schedules, incident response runbook, pen-test summary, and the latest SOC 2 readiness report — packaged into one PDF and signed for distribution under NDA.