HIPAA From Day Zero
We handle PHI for a living. We sign a Business Associate Agreement with every customer. We encrypt everything at rest with AES-256-GCM. We log every PHI access. We host on AWS under their HIPAA-eligible BAA. SOC 2 Type II audit in progress.
How We Protect PHI
BAA on Every Plan
Signed Business Associate Agreement before any PHI moves. No PHI is processed until your BAA is on file.
AES-256-GCM at Rest
All PHI encrypted at the application layer with AES-256-GCM. AWS S3 storage uses SSE-KMS on top of that.
MFA on Every Account
TOTP-based MFA available on every account. Secrets encrypted at rest. Required for admin and owner roles.
Audit Logs Everywhere
Every PHI read, write, export, and download is logged with user, timestamp, IP, and resource. Customer-accessible audit trail.
HIPAA-Eligible Infrastructure
Hosted on AWS US-East-1 under their signed BAA. Postgres + S3 + EC2, all on HIPAA-eligible services. Network isolation via VPC.
Subprocessor Transparency
Anthropic (AI inference under their BAA) and encrypted cloud infrastructure under BAA. Transactional email never carries PHI.
What We're Working On Next
SOC 2 Type II Audit
Type I scoping complete. Type II observation window underway. Report expected Q3 2026.
HITRUST CSF Readiness
Mapping completed. Validation engagement to begin once SOC 2 Type II is in hand.
Annual Penetration Testing
Scheduled with an independent firm for 2026. Summary report available to enterprise customers under NDA.
Need Our Security Package?
Enterprise customers and procurement teams can request our full security questionnaire response, architecture diagram, and BAA template under NDA.
Reach the security team: hello@denialzero.com