Security
Trust starts with clear clinical data boundaries
Security content is written for physicians, administrators, and compliance reviewers.
HIPAA posture
Designed for AWS HIPAA-eligible services, BAA workflows, and minimum necessary access.
Encryption
TLS in transit, KMS-backed storage, and encrypted short-term stored notes.
Access controls
Cognito MFA, RBAC, admin-only clinical content, and provider authorization checks.
Audit trail
Metadata-only events track actions without storing clinical note content in logs.
Infrastructure
VPC isolation, WAF, private data subnets, Redis for non-PHI cache, and Aurora/RDS Proxy.
AI data handling
Anthropic integration is designed around paid-tier data handling and customer BAA requirements.
Compliance materials are draft and require final legal/security review before production launch.