Trust center
Health data deserves a higher standard. This page describes the controls protecting the platform today and the compliance work on our roadmap stated plainly, without security theater.
Last updated:
The platform runs on hardened cloud infrastructure with network segmentation between public-facing services and data stores. Production access requires VPN plus hardware-key MFA, and infrastructure is defined as code so every change is reviewed and auditable.
Passwords are hashed with a modern memory-hard algorithm; multi-factor authentication is available to all users and required for staff. Internally we follow least privilege: clinicians see only their patients, and every access to health records is written to an immutable audit log.
Databases are backed up continuously with point-in-time recovery, and encrypted backups are replicated to a second region. Restores are tested on a schedule a backup that has never been restored is a hope, not a control.
Centralized logging, anomaly alerting on authentication and data-access patterns, and dependency scanning on every build. Alerts page an on-call engineer around the clock.
We maintain a written incident-response plan with defined severity levels, an on-call rotation, and post-incident reviews. If an incident affects your data, we will notify you and regulators within the timelines required by applicable breach-notification law.
We welcome good-faith security research. If you find a vulnerability, email [email protected]with reproduction steps. Give us reasonable time to fix the issue before public disclosure, don't access other people's data, and we commit in return not to pursue legal action against good-faith research within these rules.
Our roadmap, in order:
[email protected] monitored by the security team. For privacy questions, see the Privacy Policy.