Security as
load-bearing software.
Per-tenant encrypted PHI, multi-tenant isolation, audited access — built like the infrastructure your clinic depends on, because it is.
Safeguards
What protects your data.
KMS-encrypted PHI
AES-256 at rest, TLS 1.3 in transit. PHI fields are individually encrypted with per-tenant encryption context via a shared customer-managed key.
Multi-factor authentication
TOTP and WebAuthn (hardware key) MFA. Admins can enforce MFA practice-wide; required for prescriber roles.
Role-based access control
Granular permissions for providers, staff, billing, and admin. 42 CFR Part 2 segmentation for substance-use records.
Comprehensive audit logging
Every access, modification, and export of patient data is logged with user identity, timestamp, and IP. Logs retained for 7 years.
Multi-tenant isolation
Per-clinic database isolation. Data, encryption keys, and audit logs are scoped to the tenant — no cross-tenant access paths.
Incident response
Documented IR plan with 24-hour breach notification. Regular tabletop exercises and quarterly internal review.
Compliance
Certifications & status
We name what we've done — and what's still in progress.
Full administrative, technical, and physical safeguard compliance. BAA available before any PHI hits the system.
Enhanced protections for substance-use disorder records, with consent tracking and segmented disclosure.
Breach notification and enforcement provisions implemented end-to-end.
Independent audit underway. We'll publish the report when it's done — not before.
Responsible disclosure
If you find a security issue, tell us. We'll respond within one business day, fix it, and credit you (with your permission).