Compliance Status
HIPAA
Compliant
Business Associate Agreements (BAA) available for all paid plans. We never store PHI - all processing happens in memory.
SOC 2 Type II
In Progress
Currently undergoing SOC 2 Type II audit. Expected completion Q2 2025. Contact us for our SOC 2 Type I report.
Encryption
Implemented
TLS 1.3 for all data in transit. AES-256-GCM for any data at rest. HMAC-SHA256 for token generation.
Zero Retention
Enforced
PHI is never persisted to disk. All de-identification happens in memory. Token maps are encrypted and expire automatically.
Security Practices
-
Infrastructure SecurityDeployed on SOC 2 compliant cloud infrastructure. Network isolation, firewalls, and DDoS protection included.
-
Access ControlAPI key authentication required. Rate limiting and abuse prevention. Detailed audit logs for all API calls.
-
Audit TrailEvery de-identification operation produces a cryptographically signed receipt. Tamper-evident logging for compliance.
-
Secure DevelopmentCode reviews required for all changes. Dependency scanning. Regular security assessments and penetration testing.
-
Incident Response24-hour incident response SLA. Documented incident response procedures. Breach notification within 72 hours as required.
Data Processing
-
Data LocationAll processing occurs in US-based data centers. No data is transferred internationally.
-
Data LifecycleInput text is processed in memory and immediately discarded. Token maps have configurable TTL (default 72 hours).
-
No Training on Your DataWe never use customer data to train models. Your PHI is never logged, stored, or analyzed beyond the immediate API request.
Security Questions?
Our security team is happy to answer questions, provide documentation, or discuss your specific compliance requirements.
Contact Security Team