We move medical-billing data for a living. This page is the live posture of what's in place today, what's on the roadmap, and what isn't in scope yet. For the deep legal language, see /security.
Business Associate Agreement with Amazon Web Services in force. Production workloads on HIPAA-eligible services only.
PHI fields encrypted at application layer with per-tenant keys, on top of AWS-managed at-rest encryption.
MFA required for all staff and customer admin roles. Destructive ops require re-authentication via sudo-mode.
Enforced in every database read path. 53 routes audited under PR #47 with 0 cross-tenant leaks.
Every PHI access signed with caller, tenant, route, status, payload hash. 6+ year retention. Tamper-evident.
Per-bucket rate limits with X-RateLimit-* headers. Strict Content Security Policy. HSTS preload on every external endpoint.
Structured logs run through a PHI redactor before they leave the host. No patient identifiers in stdout, stderr, or app logs.
We don't claim certifications we haven't earned. Below is what we're actively working toward, and what we've decided to defer. If something here is a blocker for your security review, ask — we'll tell you the real timeline, not a sales one.
Big-4-adjacent auditor engaged. Type II report expected H2 2026. Not claimed as complete.
Will pursue only if customer demand justifies the cost. Honest stance: most of our customers don't ask for it.
Out of scope for the commercial healthcare segment we serve today. Reconsider when we work with federal payers.
Customer-managed keys via AWS KMS for enterprise tier. In-scope for the latter half of 2026 alongside SOC 2 Type II.
Sub-processors with PHI access carry a Business Associate Agreement. Sub-processors that process operational data (non-PHI) carry a Data Processing Agreement. Anything else doesn't get our customers' data.
| Sub-processor | Region | Purpose | Agreement |
|---|---|---|---|
| Amazon Web Services | us-east-1 / us-west-2 | Compute, storage, KMS, IAM | BAA |
| MongoDB Atlas | United States (PHI tier) | Primary application database | BAA |
| Vercel | Edge · United States | Web hosting + edge runtime | DPA |
| Twilio | United States | Voice + SMS + telephony | BAA + DPA |
| ElevenLabs | United States | Voice synthesis for Echo agents | DPA |
| Anthropic | United States | Claude API for classification and drafting | DPA |
| Microsoft Graph | United States | Outlook, Teams, OneDrive (Flux + Lisa) | BAA + DPA |
| Google Workspace | United States | Gmail, Calendar, Drive (Flux + Lisa) | BAA + DPA |
| Stripe | United States | Subscription billing + invoicing | DPA |
| DocuSeal | Self-hosted · AWS us-east-1 | BAA + contract e-signature | BAA |
| Resend | United States | Transactional email (non-PHI only) | DPA |
Full Privacy + Security Rule posture. AWS BAA signed. Customer BAA on Bonterms template available day one. PHI handling documented in /security.
California consumer rights honored: access, deletion, opt-out of sale (we don't sell). Privacy notice + DSAR workflow live.
We operate US-only today. We will not ship EU data residency or DPA-grade EU posture until we have a real European customer. Honest scope.
Texas-specific PHI handling overlay on top of HIPAA. Relevant for our Texas-based customers (counseling networks).
Confidentiality of Medical Information Act handled alongside HIPAA + CCPA for California practices on the platform.
The legal posture page goes deeper on infrastructure, application security, sub-processor commitments, incident response, breach notification, and customer obligations. If you're running a vendor risk review, start there.
Send your security questionnaire, your DPA, your BAA. We'll respond with the same honest framing as this page. No marketing in the loop.