Security & Compliance
Built for HIPAA from the first commit.
Multi-tenant isolation, PHI encryption, audit-everything, and an externally reviewed posture with all findings resolved.
Architecture
Tenant-isolated, encrypted at rest, audited in motion.
Org-scoped models, column-level PHI encryption, fail-closed startup guards.
- Multi-tenant by default - every record is organization-scoped with strict tenant isolation
- UUID primary keys across all 656 models
- Soft deletes for clinical data integrity and audit compliance
- Async-first database operations via SQLAlchemy 2.0 with asyncpg
- Field-level encryption for sensitive identifiers, with a startup guard enforcing key presence
- Circuit breaker protection on auth and patient endpoints
Authentication & authorization
Granular roles, hardened sessions.
52-key permission registry, three-path resolution, real-time JWT revocation.
- OAuth2 password bearer with per-user MFA (toggleable) and org-wide login challenge enforcement
- SSO adapter framework - OIDC and SAML
- 121 user roles in the UserRole enum, spanning OB/GYN, oncology, research, pharmacy, billing, and IT groupings
- Canonical permission key registry - 52 keys across 10 categories
- Three-path permission resolution - JWT perms claim, DB user overrides, role defaults
- JWT denylist - Redis-backed per-token JTI revocation plus per-user epoch invalidation
- Step-up authentication for high-risk clinical and billing actions
- Per-IP rate limiting on auth endpoints, configurable lockout, suspicious-login challenges
Audit & monitoring
Comprehensive audit logging.
Coverage across all clinical and administrative actions, wired into every PHI access path.
- Comprehensive AuditLog covering all clinical and administrative actions
- PHI access anomaly detection
- Security audit report exports
- HIPAA control matrix
- Correlation IDs traced across frontend, API, workers, and audit logs
- Idempotency key enforcement for non-safe write APIs
Data handling
Consent, retention, and recovery.
Consent enforcement is middleware, not a checkbox. Backups are tested, not just taken.
- Consent directive enforcement middleware on every data domain endpoint
- Communication channel consent for portal, SMS, and email
- AI transcription consent flag enforced before activation
- Organization-level retention and purge policy engine
- Encrypted backup verification jobs with restore drill reporting
- Attachment malware scanning and quarantine pipeline
External integrations
Secure external integrations.
A dedicated mTLS gateway for outbound traffic and HMAC signatures on inbound webhooks.
- Dedicated mTLS gateway - Nginx-based Docker container - for all external integrations
- HMAC signature validation mandatory on all FHIR webhook endpoints
- PACS DICOMweb proxy with concurrent request limiting
- Source reliability scoring on external connectors
Security operations
A continuous security process, not a checkbox.
Security is built into the development lifecycle - reviewed, tested, and hardened on an ongoing basis.
Automated probes
Hourly
Synthetic security checks
PHI monitoring
Real-time
Access anomaly detection
Audit cadence
Quarterly
Scheduled full-stack reviews
Response SLA
<24h
Critical issue response target
Hardening is an ongoing sprint discipline - not a one-time event. Each release cycle includes dedicated security review covering authentication controls, PHI access paths, webhook validation, rate limiting, and audit log integrity.
Certifications
Certification roadmap.
HIPAA-aligned today. Formal certifications are on the post-launch roadmap.
| Standard | Status |
|---|---|
| HIPAA-aligned architecture | In place |
| Internal security audit | Active security audits and development of real-time monitoring agents |
| SOC 2 | On the production roadmap (Q3 2026) |
| HITRUST | On the production roadmap (Q3 2026) |
| ONC | On the production roadmap (Q3 2026) |
Next
Read the dated roadmap.
Public demo May 2026, alpha June 2026, beta September 2026, production January 2027. No vague launch windows.