Your data is safe
Built for healthcare from day one. Encryption at every layer, strict access controls, US-only infrastructure, and full HIPAA compliance.
Encrypted everywhere
AES-256 at rest. TLS 1.3 in transit. Your data is encrypted in the database, in file storage, and between your browser and our servers.
US-only storage
All data is stored and processed exclusively in the United States. No offshore servers, no third-party data processors.
Zero trust by design
Every API request is authenticated, authorized, and scoped to your organization. Cross-tenant access is architecturally impossible.
How we protect your data
Multiple layers of security ensure patient data stays private and compliant.
Role-based access
Admin, Provider, Staff, and Patient roles with strict permission hierarchy. Each team member only sees data relevant to their role.
Organization isolation
Every database query is scoped to your organization. Your data is completely separated from every other practice.
Immutable audit trail
Every access, modification, and deletion is logged with who, what, when, and from where. Logs cannot be altered.
Session management
Automatic session expiry, secure HTTP-only cookies, SameSite protection, and OAuth with PKCE.
Encrypted backups
Automated encrypted backups with point-in-time recovery. Your data is protected even in disaster scenarios.
DDoS & bot protection
Rate limiting, captcha on submissions, and infrastructure-level DDoS protection included by default.
Encryption details
Industry-standard encryption at every layer of the stack.
HIPAA Compliance
A signed BAA is included on every plan. We take our obligations as a Business Associate seriously.
Questions about security?
We're happy to discuss our security practices, sign a BAA, or provide documentation for your compliance team.