Security & Compliance

Enterprise-grade security for healthcare data and AI systems

PHI Protection

Zero PHI exposure in AI processing

Sanitization Flow

1

Request Received

Clinical notes arrive with patient names, DOB, MRN, SSN

2

PHI Replacement

Regex patterns replace: names → [PATIENT_NAME], DOB → [DOB], SSN → [SSN], MRN → [MRN]

3

Claude Processing

Claude analyzes [PATIENT_NAME] only (clinical context preserved, identity removed)

4

Response Returned

Results contain no PHI. Analysis of clinical patterns only.

Result: Zero PHI sent to external AI services

Clinical context preserved. Patient identities protected. Compliant with HIPAA AI guidance.

Audit Logging

HIPAA-compliant access tracking

Logged Events

All intelligence requests

requestId, type, user, timestamp, PHI accessed (Y/N)

API key usage

Which key, how many requests, rate limit hits

Errors and timeouts

All system failures logged with request ID

Result delivery

Webhook attempts, retries, failures

Retention & Access

  • Retention:7 years (HIPAA requirement for healthcare entities)
  • Access:Enterprise admins can query audit logs by date range, user, request type
  • Export:CSV export for compliance audits and investigations

Data Encryption

End-to-end protection in transit and at rest

In Transit

  • TLS 1.3All API connections encrypted with modern TLS
  • HSTSForce HTTPS, prevent downgrade attacks
  • Certificate PinningAvailable for mobile / embedded integrations

At Rest

  • AES-256-GCMDatabase encryption with authenticated encryption
  • Key ManagementKeys stored in secure vault (never in code)
  • Backup EncryptionDatabase backups encrypted separately

Compliance Roadmap

BAA-Ready (Q1 2026)

COMPLETE

Business Associate Agreement available. Signed BAA required for HIPAA-covered entities.

  • ✓ PHI sanitization before Claude processing
  • ✓ Audit logging with 7-year retention
  • ✓ Encrypted transport and storage
  • ✓ Breach notification procedures

SOC 2 Type I (Q3 2026)

PLANNED

Independent audit of security controls (CC, C, AI, S, PO, A)

  • • Access control policies and enforcement
  • • Change management procedures
  • • Incident response and recovery
  • • Physical security at data centers

SOC 2 Type II (Q4 2026)

PLANNED

6-month audit period demonstrating effective control operation over time

  • • 6-month control operation evidence
  • • Testing by independent auditors
  • • Auditor's report issued

HITRUST CSF (Q2 2027)

PLANNED

Comprehensive healthcare security framework combining HIPAA, HITECH, and ISO 27001

  • • HIPAA compliance verified
  • • PCI DSS-level security controls
  • • ISO 27001 standards

Infrastructure Security

Vercel

  • ✓ SOC 2 Type II certified
  • ✓ Global CDN with DDoS protection
  • ✓ Automatic security headers (CSP, HSTS)
  • ✓ Web Application Firewall

Supabase

  • ✓ HIPAA BAA available
  • ✓ PostgreSQL with encryption
  • ✓ Row-level security (RLS)
  • ✓ Automated backups to cold storage

Anthropic Claude

  • ✓ Data retention policy published
  • ✓ No training on customer data
  • ✓ PHI processing guide available
  • ✓ Enterprise API for sensitive use

Security Questions?

Our security team is available to review architecture, conduct penetration testing, or discuss compliance requirements.

Contact Security Team