Compliance & Security

The platform is built for organizations handling protected health information (PHI).

HIPAA Posture
  • Role-based access control with row-level security on every PHI table.
  • Audit log captures administrative and PHI-relevant events with configurable retention (default 7 years).
  • Encryption at rest (AES-256) and in transit (TLS 1.2+) across all data stores.
  • Least-privilege service roles; production secrets isolated from the application bundle.
  • Backups and point-in-time recovery managed by the database provider.
Business Associate Agreement (v1.0)

This Business Associate Agreement ("BAA") is entered between the platform operator ("Business Associate") and your organization ("Covered Entity") and governs the use and disclosure of Protected Health Information ("PHI") created or received on behalf of the Covered Entity.

1. Permitted Uses

Business Associate may use PHI only to perform the services described in the underlying services agreement, plus management, administration, and legal responsibilities of the Business Associate.

2. Safeguards

Business Associate will implement administrative, physical, and technical safeguards that reasonably protect PHI confidentiality, integrity, and availability, consistent with 45 CFR §§ 164.308, 164.310, 164.312.

3. Reporting

Business Associate will report any use or disclosure of PHI not provided for in this BAA, including breaches of unsecured PHI, without unreasonable delay and in no case later than 30 days after discovery.

4. Subcontractors

Business Associate will ensure any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions and conditions.

5. Termination

Upon termination, Business Associate will return or destroy all PHI received from the Covered Entity, or, if return/destruction is infeasible, extend the protections of this BAA to such PHI.

Organization owners can accept this BAA in Compliance settings.

Patient Rights
  • Access & portability: patients may request a copy of their data via their clinic.
  • Deletion: patients may request deletion of their record subject to legal retention requirements.
  • Audit: all access to PHI is logged and reviewable by the organization.
Infrastructure
  • Application served from an edge runtime; database hosted in a SOC 2 / HIPAA-eligible region.
  • Payments processed by PCI-DSS Level 1 providers; the platform never stores card data.
  • Vulnerability scanning and dependency auditing on every deploy.

Questions? Contact your organization's privacy officer or platform support.