Trust & Security
No vague promises.
Verifiable controls.
Self-insured employers trust us with health plan data. Here is exactly what we do to earn and maintain that trust.
Last updated April 2026
Security Controls
What we implement
Encryption
At rest
AES-256 (Supabase / AWS)
In transit
TLS 1.3 with HSTS
Backups
AES-256, daily automated backups
Key management
Managed by infrastructure provider; not accessible to application code
Access Controls
Authentication
Passwordless magic links (single-use, expiring tokens)
Data isolation
Row-level security — users can only access their own data
Role-based access
6 system roles with permission matrix
Session management
Automatic timeout after 15 minutes of inactivity (configurable per employer)
Audit Logging
PHI access
Every access to protected data is logged (who, what, when)
Tamper resistance
Append-only audit table — no updates or deletes permitted
Retention
7-year minimum retention for all audit records
Monitoring
Audit logs available to administrators for compliance reviews
Data Minimization
De-identification
HIPAA Safe Harbor compliant: all 18 identifier categories removed before third-party transmission. Member IDs pseudonymized via SHA-256. Patient names, DOB, addresses stripped from all analysis pipelines.
Input option
We accept de-identified data — no names or SSNs required
Purpose limitation
Claims data used solely for price benchmarking and billing error detection
User control
Clients can request deletion of their data at any time
Infrastructure
Built on SOC 2 certified providers
Every layer of our infrastructure is hosted by independently audited providers.
| Provider | Purpose | Certifications | BAA Status | Encryption | Region |
|---|---|---|---|---|---|
| Supabase | Database, authentication, storage | SOC 2 Type II | HIPAA BAA signed | AES-256 at rest, TLS 1.2+ in transit | United States |
| Vercel | Application hosting, CDN, edge network | SOC 2 Type II | No PHI at rest | TLS 1.3 in transit | Global edge network |
| Claims Analysis Provider | Claims analysis engine | SOC 2 Type II | De-identified data only; zero retention | TLS 1.3 in transit; zero data retention | United States |
All data is de-identified per HIPAA Safe Harbor (45 CFR 164.514(b)(2)) before any third-party transmission. No PHI leaves our infrastructure. Our claims analysis provider operates under zero data retention — inputs are not stored or used for training beyond the processing window.
BAA Process
Business Associate Agreement
We offer a BAA for all clients before any claims data is shared. This is standard practice for any vendor handling health plan data, and we treat it as a baseline — not an upsell.
In the post-Change Healthcare environment, carriers conduct active security validations before onboarding any vendor that touches claims data. Many billing audit firms cannot operate under a BAA or meet carrier security requirements. We can — and we provide the documentation your compliance team and carrier partners need to verify it.
To request a copy for legal review, contact us.
- 1
We provide our standard Business Associate Agreement for your legal team to review.
- 2
Both parties execute the BAA before any claims data is transferred.
- 3
We provide a list of subprocessors and their certifications.
- 4
Data transfer begins only after the BAA is fully executed.
Compliance Program
Formal compliance program
Compliance & Security Officer
Designated Compliance Officer and Security Officer responsible for HIPAA privacy, security, and breach notification. 7 active policies covering privacy, security, breach notification, incident response, disaster recovery, workforce training, and sanctions.
Workforce Training
All personnel with PHI access complete both HIPAA Awareness and HIPAA Security training with certification. New hires trained within 5 business days. Annual refresher required. Current certifications valid through April 2028.
Risk Assessment
Formal HIPAA Security Risk Assessment completed per 45 CFR 164.308(a)(1)(ii)(A). Annual review cycle established. Completed risk assessment, documented incident response, breach notification, and disaster recovery plans.
Compliance Status
All 13 HIPAA controls implemented
Every required HIPAA safeguard is in place. Cyber insurance, penetration testing, and SOC 2 certification are enterprise accelerators on our near-term roadmap.
Done
HIPAA BAA executed with database provider (Supabase)
Done
AES-256 encryption, RLS, audit logging, RBAC
Done
Built on SOC 2 Type II certified infrastructure
Done
HIPAA Security Risk Assessment completed
Done
HIPAA workforce training completed and certified
Done
Designated Compliance Officer and Security Officer appointed
Done
All data de-identified per HIPAA Safe Harbor (45 CFR 164.514(b)(2))
Done
No PHI transmitted to any third party — consumer endpoints removed
Done
7 formal HIPAA compliance policies active
Done
Formal compliance program with designated Compliance and Security Officers
Q2 2026
Cyber liability insurance
Q3 2026
SOC 2 Type I audit
Q4 2026
SOC 2 Type II observation period begins
Security questionnaire?
We have answers.
We are happy to complete security questionnaires, schedule a call with your compliance team, or provide additional documentation.