Security & Compliance

Enterprise security. Audit-ready.

Every layer designed for the healthcare trust model. SOC 2 Type II, HIPAA, HITRUST — covered.

Request Security ReportDownload Trust Center
HIPAA
SOC 2 Type II
HITRUST CSF
NIST 800-188
GDPR Ready
ISO 27001

Security controls

AES-256-GCM Encryption

All PHI encrypted at rest with AES-256-GCM. Each form gets its own AWS KMS data key (envelope encryption) — a compromised key for one form cannot decrypt any other. TLS 1.2+ enforced via Cloudflare.

BAA Included on Signup

Business Associate Agreement executed automatically on account creation. No separate legal negotiation. Covers all 18 HIPAA identifiers. Countersigned PDF delivered instantly.

Immutable Audit Logs

HMAC-SHA256 signed audit trail on every vault operation, login, API key use, and admin action. INSERT-only at DB level — UPDATE and DELETE blocked. Retained indefinitely. Export to any SIEM.

Breach Response

$10M cyber insurance. Dedicated breach response team. Notification within 24 hours of discovery. Automated containment procedures. Post-incident forensics.

iFrame Origin Isolation

Form renderer runs on embed.hipaacompliant.io — a separate domain from your app. Browser same-origin policy prevents your JavaScript from reading field values. postMessage payloads contain only a record_id, never PHI.

API Key Scoping

Two key types: Public keys (pk_live_) for form submission only; Secret keys (sk_live_) for vault read and full API access. Secret keys are bcrypt-hashed at storage — plaintext shown once at creation.

By the numbers

Infrastructure you can stake your reputation on.

99.99%
Uptime SLA
0
PHI breaches to date
Audit log retention
< 24h
Breach notification

Ready to trust your PHI to us?

Request our full security report — shared under NDA within 1 business day.