Enterprise security. Audit-ready.
Every layer designed for the healthcare trust model. SOC 2 Type II, HIPAA, HITRUST — covered.
Security controls
AES-256-GCM Encryption
All PHI encrypted at rest with AES-256-GCM. Each form gets its own AWS KMS data key (envelope encryption) — a compromised key for one form cannot decrypt any other. TLS 1.2+ enforced via Cloudflare.
BAA Included on Signup
Business Associate Agreement executed automatically on account creation. No separate legal negotiation. Covers all 18 HIPAA identifiers. Countersigned PDF delivered instantly.
Immutable Audit Logs
HMAC-SHA256 signed audit trail on every vault operation, login, API key use, and admin action. INSERT-only at DB level — UPDATE and DELETE blocked. Retained indefinitely. Export to any SIEM.
Breach Response
$10M cyber insurance. Dedicated breach response team. Notification within 24 hours of discovery. Automated containment procedures. Post-incident forensics.
iFrame Origin Isolation
Form renderer runs on embed.hipaacompliant.io — a separate domain from your app. Browser same-origin policy prevents your JavaScript from reading field values. postMessage payloads contain only a record_id, never PHI.
API Key Scoping
Two key types: Public keys (pk_live_) for form submission only; Secret keys (sk_live_) for vault read and full API access. Secret keys are bcrypt-hashed at storage — plaintext shown once at creation.
By the numbers
Infrastructure you can stake your reputation on.
Ready to trust your PHI to us?
Request our full security report — shared under NDA within 1 business day.