We protect PHIthe way we'd want our own patients' data protected.
SOC 2 Type II audited. HIPAA compliant. BAA available for every customer. Architected with defense in depth from the database layer up — row-level security on every query, append-only audit logs, hardware-backed key management, and supervised AI with citations on every action. The same posture that protects our own agency protects every Braes customer.
SOC 2 Type II
Annual third-party audit covering security, availability, confidentiality, and processing integrity. Reports available under NDA.
HIPAA Compliant
Full administrative, physical, and technical safeguards as required under 45 CFR §164. BAA available for all customers.
Hosted on AWS
US-based infrastructure with provider-level certifications including SOC 1/2/3, ISO 27001/27017/27018, PCI DSS, and HIPAA-eligible services.
Defense in depth. Engineered, not bolted.
Encryption everywhere
All data is encrypted at rest using AES-256 and in transit via TLS 1.3. PHI columns receive additional column-level encryption. Key management is hardware-backed and rotated on schedule.
- AES-256 at rest
- TLS 1.3 in transit
- Column-level PHI encryption
- Hardware-backed key management
Row-level security on every query
Every read and write goes through a row-level security policy that enforces agency isolation, role permissions, and care-setting scoping at the database layer. There is no path to another agency's data even from inside the application.
- RLS on every table that touches PHI
- Agency isolation at the SQL boundary
- Care-setting scope enforcement
- Defense in depth — not relying on app-layer checks
Audit trail by default
Every state change, every claim mutation, every workflow event is captured to an append-only audit log. The audit trail covers user actions, system actions, AI actions, and integration actions — all stamped with actor, timestamp, and reason.
- Append-only event log
- User, system, AI, and integration actors
- Compliance-grade retention
- Queryable for any record at any time
AI with citations and oversight
Every AI-generated suggestion is cited back to the source data it consulted. Every AI-initiated action is logged, reversible, and supervised by an explicit policy layer. No model touches production data without an audit record.
- Citation-backed AI responses
- Reversible AI-initiated workflow actions
- Supervisor evaluation for high-risk actions
- PHI-redacted observability and tracing
Identity and access control
SSO via Google, Microsoft, or your IdP of choice. WebAuthn passkeys for hardware-backed login. Discipline-based defaults plus permission groups plus per-user grants — RBAC the way operators actually use it.
- SSO and OIDC support
- WebAuthn / passkey authentication
- Layered RBAC (discipline → group → user)
- MFA available, enforceable per agency
Operational security
Continuous vulnerability scanning, dependency monitoring, secret management with rotation, infrastructure-as-code reviews, and a documented incident response plan that we have tested. The on-call rotation includes founders.
- Continuous vuln + dependency scanning
- Secrets rotation on cadence
- Documented + tested IR runbook
- Founders on the on-call rotation
Need a SOC 2 report, a BAA, or to fill out your security questionnaire?
Email us directly. We respond same day. We've filled out dozens of vendor security questionnaires and we know what your compliance team is going to ask.