How we protect your data and demonstrate it.
Certifications & Attestations
OnlyHIPAA is built to meet the bar customers in regulated industries expect from their compliance vendor:
- HIPAA — we operate as a Business Associate under the HIPAA Security, Privacy, and Breach Notification Rules and execute a BAA with every customer that stores PHI.
- SOC 2 Type II — independently audited against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. Reports are available under NDA on request.
- NIST CSF / 800-53 alignment — our control framework maps to NIST CSF and the HIPAA-relevant 800-53 control families.
Data Protection
- Encryption in transit: TLS 1.3 (1.2 minimum) enforced on all connections, HSTS preload list, certificate pinning on critical endpoints.
- Encryption at rest: AES-256 on all primary databases and object storage, with per-tenant key separation for sensitive fields.
- Key management: KMS-backed keys with automated rotation; no shared secrets in code.
- Backups: encrypted, geo-redundant, with point-in-time recovery and regularly tested restores.
Authentication & Access Controls
- NIST SP 800-63B aligned authentication: Argon2id password hashing and a breached-password check against known-compromised credentials.
- Strong MFA: via authenticator apps (TOTP), passkeys, or hardware security keys (FIDO2 / WebAuthn), enforceable per-organization policy.
- SSO/SAML, SCIM provisioning, and IP allowlisting available on Enterprise plans.
- Role-based access control with least-privilege defaults.
- Server-side, revocable sessions with idle and absolute timeouts, configurable per-organization.
- Every action is written to an immutable, tamper-evident audit log retained for six years (per 45 CFR §164.530(j)(2)).
Application Security
- CSRF, XSS, SQL-injection, and SSRF defenses applied uniformly through framework-level controls
- Content Security Policy with per-request nonces; strict referrer and frame-ancestor policies
- Static analysis on every commit; PHPStan at the strictest level on the core platform
- Annual third-party penetration test; bug-bounty program for high-severity findings
Infrastructure
- U.S.-based hosting on SOC 2-attested cloud providers
- Network segmentation with private subnets for all data stores
- Continuous vulnerability scanning and same-day patching on critical CVEs
- DDoS protection and WAF in front of all public endpoints
Incident Response
We follow a documented incident-response plan with defined severity tiers and notification SLAs. Customers are notified of any security incident affecting their data within the timeframes required by our BAA and applicable law — in no case later than 60 days from discovery of a reportable breach, and typically much sooner.
Reporting a Vulnerability
Security researchers and customers can report vulnerabilities to [email protected]. We acknowledge reports within one business day and aim to triage within three. Coordinated disclosure preferred.
Trust Documents
Customers and prospects under NDA can request the following from [email protected]:
- SOC 2 Type II report
- Penetration-test executive summary
- HIPAA Security Rule mapping
- Subprocessor list
- Business continuity / disaster recovery plan summary