Security & Trust · the procurement page

Built for PHI from the ground up.

This page exists to be bookmarked and forwarded. Everything your security review, procurement team, or client audit needs — stated plainly, with nothing overstated.

HIPAA SOC 2 · audit-ready TLS 1.2+ AES-256 BAA / DPA available ISO 27701 · roadmap

"Audit-ready" means controls and evidence are documented for audit — we say "certified" only when a certificate exists.

PHI audit log LIVE
AES-256 · record encrypted verified
OCR extraction → page 14 verified
Citation linked → source p.12 verified
Access: case #2291 only verified
Export blocked — no BAA enforced

Your records never train an AI model. Ever.

Not ours, not a vendor's, not "de-identified for research." Your files are processed to produce your outputs, and that is the end of their journey. This is contractual — it's in the BAA — not a settings toggle.

Six controls your reviewer will ask about.

Encryption

TLS 1.2+ in transit, AES-256 at rest — every file, every environment.

Case-level access control

HIPAA-minimal by default: people see only the cases assigned to them. Nothing else exists for them.

PHI audit logging

Every PHI access event is logged — who, what, when — and exportable for your own audits, appeals, and records requests.

Secure sessions

Token-validated sessions with strict expiry handling — no shared credentials, anywhere.

SOC 2 readiness

Controls documentation and evidence packages maintained audit-ready — available under NDA.

Human-guided AI

Every output cited, reviewable, and traceable to its source. AI does the reading; your experts make the calls.

Deployment & integration

For carriers, TPAs, and public-sector programs deploying at scale.

Connect (API)

Secure REST API and CRM token exchange — no shared credentials — with outbound webhooks into your case-management and claims systems.

Usage & cost analytics

Per-feature, per-file metering — bill costs back to a case, a client program, or a desk.

Data lifecycle

Retention controls, de-identified export for sharing without exposing PHI, and deletion on request.

The security package

Everything procurement asks for, in one PDF.

Controls documentation, the sub-processor list, BAA/DPA templates, and the SOC 2 evidence summary — sent under NDA.

Request the security package