CoverageUnlocked Security

Enterprise Security & Compliance

Back to Platform
Healthcare-Grade Security

Built for HIPAA from Day One

CoverageUnlocked was designed by a healthcare industry insider who understands the security requirements of health systems. Our architecture ensures zero PHI exposure by design.

Zero-Knowledge PHI Architecture

We never see, store, or transmit protected health information

PHI Replacement

All patient identifiers are replaced with [BRACKET] placeholders before any data reaches our AI engine. Names, MRNs, dates of birth, addresses — stripped at the source.

Clinical-Only Analysis

Our analysis engine only processes de-identified clinical details: CPT codes, denial reasons, clinical notes (de-identified), and treatment history. Nothing that identifies a patient.

No PHI Storage

Analysis results are returned in real-time and not persisted on our servers. No PHI database means no PHI breach surface. Zero retained data = zero data risk.

HIPAA Compliance

BAA-ready architecture with defense-in-depth

Business Associate Agreement (BAA)Ready

BAA available for execution. Our zero-knowledge architecture minimizes BAA scope.

Encryption in TransitActive

All API communications use TLS 1.3. Certificate pinning available for enterprise deployments.

Encryption at RestActive

AES-256 encryption for any configuration data. No PHI stored at rest.

Access ControlsActive

Role-based access control (RBAC) with SSO integration. Principle of least privilege enforced.

Audit LoggingActive

Comprehensive audit trail for all API calls. Immutable logs retained per policy.

Data Retention PolicyActive

Analysis results: not retained. Session metadata: 30 days. Audit logs: 7 years (configurable).

SOC 2 Type II Roadmap

Independent audit planned for Q2 2026

Q1 2026

Foundation Controls Implementation

Access controls, encryption, logging, incident response procedures

Q2 2026

SOC 2 Type I Audit

Point-in-time assessment of security controls design

Q3-Q4 2026

SOC 2 Type II Observation Period

6-month observation window for operating effectiveness

Q1 2027

SOC 2 Type II Report

Independent auditor report on controls operating effectiveness

API Authentication

OAuth 2.0 + API Keys

Enterprise clients receive dedicated API keys with configurable permissions

Rate Limiting

Per-key rate limiting with configurable thresholds (default: 100 req/min)

IP Allowlisting

Optional IP-based access restrictions for enterprise deployments

Token Rotation

Automated key rotation with zero-downtime rollover

Incident Response

24/7 Monitoring

Automated anomaly detection on all API endpoints

Incident Classification

4-tier severity model (P1-P4) with defined response SLAs

Breach Notification

72-hour notification commitment (exceeds HIPAA 60-day requirement)

Post-Incident Review

Root cause analysis and prevention plan for every P1/P2 incident

Infrastructure Security

Hosting

Vercel (AWS)

SOC 2 certified infrastructure

AI Engine

Anthropic Claude

SOC 2 certified, no training on inputs

Database

Supabase

PostgreSQL with RLS, SOC 2 certified

CDN

Vercel Edge

Global edge network, DDoS protection

Have security questions? Our team is happy to walk through our architecture in detail.

Request Security Review