PHI Vault

Encrypted vault for every identifier

All 18 HIPAA identifiers stored, encrypted, tokenized. Access requires authentication, reason codes, and fires an immutable audit event.

Get Started →API Docs
AES-256-GCM
Encryption algorithm
AWS KMS
Key management
Per-form
Envelope encryption
TLS 1.2+
In-transit security

Enterprise-grade vault

Built for the security requirements of the most regulated industry on earth.

AES-256-GCM + Envelope Encryption

Every form submission stored as an AES-256-GCM encrypted JSONB blob. Each form has its own AWS KMS data key — a compromised key for one form cannot decrypt any other form's records.

Tokenized Access

Your app receives a record_id token — never raw PHI. Access requires a secret key (sk_live_...), authentication, and a reason code. Every read fires an immutable audit log event.

Petabyte Scale

Purpose-built for healthcare data volumes. Automatically shards as your patient base grows. No storage limits on Enterprise.

Retention & Right to Erasure

Audit logs retained indefinitely (HIPAA requires 6 years minimum). Soft-delete support for patient right-to-erasure (HIPAA §164.524) — records flagged deletedAt, excluded from queries while preserving the audit trail.

Multi-Region Replication

All data in AWS us-east-1 (Multi-AZ RDS) by default. Self-hosted deployment supports any AWS region. Data residency controls available for compliance requirements.

Zero-Knowledge

HaaS staff cannot read PHI. Field-level encryption guarantees. Customer-managed keys on Enterprise tier.

Simple retrieval API

One endpoint to retrieve PHI. Requires authentication, reason code, and requestor ID — all automatically logged.

Authentication required
Reason code mandatory
Access logged automatically
Scoped token revocation
Rate limiting per-key
GET /api/v1/vault/{record_id}
{
  "data": {
    "name": "Jane Smith",
    "dob": "1985-03-12",
    "ssn": "***-**-1234",
    "insurance_id": "BC123456"
  ,
  "access_log_id": "log_01HV...",
  "accessed_at": 1716220800
}

Keep your PHI safe

Secure vault live in minutes. No infrastructure to manage.

Get Started Security Overview