HIPAA-ready posture
Administrative, technical, and physical safeguards mapped to HIPAA. BAA available on request before go-live.
Encrypted in transit and at rest
TLS 1.2+ in transit, AES-256 at rest. PHI in S3 stays in HIPAA-eligible storage with strict access policies.
Immutable audit trail
Every login, view, edit, and deletion is recorded with actor, timestamp, and prior state. Auditors can replay the record without touching it.
Encryption that meets the compliance review.
PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256). File uploads — encounters, before/after photos, intake attachments — land in HIPAA-eligible S3 buckets with bucket-level encryption and short-lived presigned URLs.
All client/server traffic; HSTS preload at the edge.
At-rest encryption for database and object storage.
9 roles. Enforced at the API and UI.
Permissions are scoped per role and applied at both the API and UI layers. The matrix below shows a representative subset — the full set is configurable per practice.
| Capability | Site Admin | Org Admin | Provider | Nurse | Medical Asst. | Office Manager | Front Desk | Patient | Auditor |
|---|---|---|---|---|---|---|---|---|---|
| View patient chart | ● | ● | ● | ● | ● | ◑ | ◑ | ◑ | ◐ |
| Edit clinical notes | ◐ | ◐ | ● | ◐ | ◐ | · | · | · | · |
| Sign off on encounters | · | · | ● | · | · | · | · | · | · |
| Manage inventory | ● | ● | ◑ | ◑ | ◑ | ● | · | · | ◐ |
| Process payments | ● | ● | · | · | · | ● | ● | ◑ | ◐ |
| Manage users + roles | ● | ● | · | · | · | ◑ | · | · | · |
| View audit log | ● | ● | · | · | · | ◑ | · | · | ● |
| Configure billing | ● | ● | · | · | · | ◑ | · | · | · |
| Patient portal access | · | · | · | · | · | · | · | ● | · |
Audit logs that hold up under review.
Every action that touches PHI is recorded immutably — actor, timestamp, IP, the prior value where applicable. Auditors get a read-only role that can replay the history without altering it.
Append-only by design
Records are written, never updated. Even an admin cannot rewrite history — they can annotate it.
Read-only Auditor role
Compliance reviewers see the trail without seeing anything else. No risk of accidental edits during review.
BAA on request
We sign a Business Associate Agreement before you go live. Standard terms; we negotiate where it matters.
Data residency
US-region by default. Multi-region deployments available for enterprise customers; data never leaves the region you choose.
Soft-delete + retention
Deletes are reversible for the configured retention window. Permanent purge runs on a documented schedule.