Security & compliance
Built for healthcare security standards
We're building toward formal certification with a security-first architecture from day one. What follows is our actual posture — stated plainly, with nothing we haven't earned.
HIPAA-minded architecture
Facility-scoped access controls, role-based permissions, and function-level authorization on every data path. AI features receive PHI-minimized inputs — internal identifiers, never names.
BAA available for facility customers
We execute a Business Associate Agreement with every facility customer before any protected health information is processed — the BAA governs how PHI is handled.
SOC 2 Type II — on the roadmap
SOC 2 Type II (AICPA Trust Services Criteria) is on our roadmap, not on our wall. We will not display a badge for a certification we do not yet hold.
Comprehensive audit logs
Every access and change is logged with timestamps, user attribution, and change tracking. The same audit trail that backs our reports backs our own accountability.