Security
Trust starts with clear clinical data boundaries
Physicians and administrators need to know where PHI goes, who can access it, and what never belongs in logs or analytics.
HIPAA posture
Designed for AWS HIPAA-eligible services, BAA workflows, and minimum necessary access.
Encryption
TLS in transit, KMS-backed storage, and encrypted short-term stored charts.
Access controls
Cognito MFA, RBAC, admin-only clinical content, and provider authorization checks.
Audit trail
Metadata-only events track actions without storing clinical chart content in logs.
Infrastructure
VPC isolation, WAF, private data subnets, Redis for non-PHI cache, and Aurora/RDS Proxy.
AI data handling
AI model integration is designed around paid-tier data handling and customer BAA requirements.
Compliance materials are draft and require final legal/security review before production launch.