legal · security

Security posture. Honest about it.

We move medical billing data for a living, so we treat security as table stakes. This page lays out what we have, what is in progress, and what isn't done yet. If something matters for your security review, ask for the underlying evidence — we'll share it under NDA.

last updated2026-05-17contactsriram@getmaxrcm.comentityGetMax Healthcare Solutions Pvt Ltd

1. At a glance

what is live today
  • HIPAA Business Associate Agreement with AWS signed and in force.
  • BAA available for every customer who handles PHI. Bonterms template.
  • Field-level PHI encryption with AES-256-GCM, on top of AWS-managed at-rest encryption.
  • TLS 1.2+ on every external endpoint. HSTS in place.
  • MFA required for all GetMax staff. MFA required for customer admin roles.
  • Per-tenant data isolation enforced in every database read path.
  • Comprehensive audit logging on all PHI access, retained 6+ years.
  • Quarterly access reviews and least-privilege RBAC.
  • Encrypted automated daily backups, 35-day retention, restore tests quarterly.
what is in progress (not yet certified)
  • SOC 2 Type II. Audit window opened with a Big-4-adjacent auditor; expected report H2 2026. We do not claim SOC 2 Type II as complete.
  • HITRUST. Not started. We will pursue HITRUST CSF only if customer demand justifies the cost.
  • Penetration test. External pentest scheduled; first report will be available under NDA within 60 days of remediation.
  • External SIEM. Logs ship to centralised storage today; vendor SIEM evaluation in progress.

2. Infrastructure

  • Cloud. Amazon Web Services, US regions (us-east-1, us-west-2). AWS BAA in force. We use HIPAA-eligible services only for PHI-bearing workloads.
  • Compute. Containerised workloads on managed runtimes (Vercel, ECS). Private subnets, security groups by least privilege, no inbound SSH on production hosts.
  • Database. MongoDB Atlas (PHI tier with BAA), per-tenant document partitioning, encrypted in transit and at rest.
  • Object storage. S3 with bucket-level encryption (SSE-KMS), versioning, and access logging.
  • Secrets. AWS Secrets Manager + scoped IAM roles. Secrets never in code, never in commits, never in chat.

3. Application security

Authentication and access

  • Password hashing with bcrypt; minimum length and breach checks enforced.
  • MFA via TOTP for all internal staff and customer administrators.
  • Short-lived signed session tokens (JWT, rotating keys).
  • Role-based access control with default-deny on every PHI endpoint.
  • SSO (SAML / OIDC) available on the enterprise plan.

Tenant isolation

  • Every PHI-touching API filters by the caller's practice scope. A repo-level audit script (scripts/audit_practice_filter.ts) runs on every PR to catch routes that forget the filter.
  • Per-tenant collection partitioning at the database layer.
  • No cross-tenant joins. No shared in-memory caches that hold PHI.

Encryption

  • In transit: TLS 1.2+ enforced. HSTS. Modern cipher suites only.
  • At rest: AWS-managed disk encryption everywhere (AES-256). Database-side encryption on MongoDB Atlas.
  • Field-level: Sensitive PHI fields (e.g. member IDs, encounter notes) are additionally encrypted with AES-256-GCM at the application layer using per-tenant keys managed in AWS KMS.

Code and supply chain

  • Mandatory code review on every change to production branches.
  • Pre-commit hooks block secrets, large binaries, and obvious unsafe patterns.
  • Dependency scanning on every PR. High/critical CVEs gate merges.
  • SBOM available on request.

4. Audit logging and monitoring

  • Every authentication, every PHI read, and every privileged action is logged with actor, target, action, and timestamp.
  • Audit logs are retained for a minimum of six years per HIPAA expectations and are immutable from the application side.
  • Cloud control-plane events captured in AWS CloudTrail. Application events captured in structured logs.
  • Alerts fire on anomalous access patterns (e.g. impossible-travel logins).

5. People and process

  • Background checks. All staff with PHI access are subject to background checks where lawful.
  • Training. HIPAA security and privacy training is mandatory at hire and annually thereafter.
  • Least privilege. Access is granted by role, reviewed quarterly, and revoked promptly on role change.
  • Vendor management. Every subprocessor that touches PHI signs a BAA. Reviewed annually. See the Privacy page for the current list.
  • BYOD. Staff devices used for PHI work are managed: full-disk encryption, screen lock, MDM, EDR.

6. Incident response

  1. Detect. Alerts from monitoring, customer reports, or staff observation open an incident.
  2. Contain. Affected systems are isolated; credentials rotated; access revoked.
  3. Investigate. Forensic timeline assembled from logs. Scope of any PHI exposure determined.
  4. Notify. Customers notified without undue delay; written breach notification within HIPAA-required timelines (no later than 60 days from discovery of an unsecured-PHI breach).
  5. Remediate. Patch, retest, document. Root-cause analysis shared with affected customers under NDA.

Report a suspected vulnerability or incident to security@getmaxglobal.com or sriram@getmaxrcm.com. We do not pursue legal action against good-faith researchers who follow the responsible-disclosure practice on this page.

7. Resilience and continuity

  • Backups. Encrypted automated daily backups, 35-day retention, region-redundant.
  • RPO / RTO. Target RPO 24 hours, target RTO 4 hours for full service restoration. Lower targets available under enterprise SLAs.
  • Restore tests. Quarterly restore drills against a separate environment.
  • Status page.Operational status published at the platform's status surface.

8. Customer responsibilities

Security is a partnership. We harden the platform; you control the human side.

  • Keep your account credentials secret. Don't share.
  • Use unique passwords and enable MFA for every user.
  • Deactivate user accounts promptly when staff leave.
  • Set roles to the minimum that each user needs.
  • Review your audit log periodically.
  • Report suspected misuse within 24 hours.

9. What we don't do (yet)

  • FedRAMP, IL5, ISO 27001.Not certified. If you need these for procurement, tell us — we'll let you know when we get there.
  • Customer-managed encryption keys (CMEK / BYOK). Not available on standard tiers. Enterprise tier roadmap H2 2026.
  • Continuous external red-team retainer. Point-in-time pentest only at present.

10. Evidence on request

For security questionnaires, SIG, CAIQ, or vendor risk assessments, email security@getmaxglobal.com with your NDA. We typically respond within 5 business days.

11. Contact

security@getmaxglobal.com for security topics. sriram@getmaxrcm.com for anything else.