Security & Trust
Patient-grade security. No exceptions, no shortcuts.
Built by us, owned by us, audited by independent third parties. Every byte of patient data is encrypted at rest with patient-held keys, every action is recorded on an immutable chain, and every employee operates under HIPAA-equivalent training regardless of jurisdiction.
Encryption
Patient-held keys. Zero-knowledge by default.
Every health record, lab result, image, and chart note is encrypted before it touches our infrastructure. The encryption key is derived from a passkey stored on the patient's device — we cannot decrypt their data even if compelled to. When a clinician needs access, the patient grants a time-bounded, scoped key the chain witnesses and the audit log records.
Algorithms: AES-256-GCM at rest, TLS 1.3 in transit, Ed25519 for signing, X25519 for key exchange. Keys rotated on schedule and on revocation.
Compliance
HIPAA. SOC 2. HITRUST. GDPR.
We are HIPAA-covered, SOC 2 Type II audited annually, HITRUST-certified, and GDPR-compliant for our EU operations. We publish our latest attestations in the trust center. Penetration tests run quarterly by independent firms; results summary is available under NDA to enterprise customers.
Our flagship clinic is a covered entity. Our chain operates under a published BAA template. Our exchange holds appropriate state money-transmitter licenses and our trust company custodies HCR/HCC reserves.
Audit log
Every read. Every write. Every share.
Patients see a complete, plain-English log of who accessed their records, when, why, and under what consent. The log is mirrored to Conceptual Chain for tamper-evidence. If a clinician opens a chart they shouldn't have, the patient knows within seconds and our compliance team is paged.
Incident response
24/7 SOC. 1-hour notification commitment.
Our Security Operations Center runs 24/7 with rotating on-call. Verified breaches affecting patient data trigger notification to affected users within one hour and to regulators within four hours — well under HIPAA's 60-day requirement. Public incident reports are posted to the trust center within seven days of resolution.