Annual security training
Every engineer, every designer, every PM — annual HIPAA + secure-development training with attestation.
Compliance & security
Compliance isn't a checklist — it's how we build.
Frameworks we work under, internal practices we run on, and what enterprise buyers actually get from us. Sourced for procurement teams and CISOs — short on marketing, long on specifics.
Auditor request
liveIncoming
Encryption at rest?
Awaiting query…
Avg response · under 24hHIPAA · SOC 2 · 27001
Frameworks
What we work under.
Mapped to the controls and artifacts your auditor will ask for. Available on request under NDA.
HIPAA / HITECH
Audited annually
Privacy + Security Rules. BAA available within 24h of NDA. We work as a Business Associate for every healthcare engagement.
SOC 2 Type II
Attestation under NDA
Trust Services Criteria — Security, Availability, Confidentiality. Attestation letter shareable with procurement under NDA.
ISO 13485
Aligned QMS for SaMD
Medical device quality management system. Aligned process for SaMD engagements (Class II / Class III).
ISO 27001
Aligned controls
Information security management. Mapped controls available for procurement review.
IEC 62304 / ISO 14971
SaMD SDLC + risk
Software lifecycle process + risk management for medical-device software. Embedded in our SDLC, not bolted on.
GDPR / UK GDPR
DPA available
Data Processing Agreement available. EU/UK data residency options on AWS, Azure, GCP.
PCI DSS
Tokenization first
For engagements that touch payment data — we tokenize, isolate the cardholder data environment, and don't store PAN.
HITRUST
On roadmap
Mapping in progress for engagements that require it. Available via partner audit.
Our internal practices
How we run, day to day.
Background checks
Pre-engagement checks for anyone touching PHI, including subcontractors.
Least-privilege access
Just-in-time access provisioning, hardware-key 2FA required, quarterly access reviews.
Secure dev lifecycle
SAST, DAST, SCA, secret scanning, dependency review — all in CI. Findings tracked to remediation in sprint.
Independent pen testing
Annual third-party pen test, plus per-release tests on safety-critical engagements.
Incident response playbook
Documented IR plan, 24h notification SLA, breach drills run twice yearly.
What you get from us
Procurement-ready artifacts.
Each engagement comes with the documents your security and procurement teams will ask for — provided proactively, not as a round-trip.
Within 24h of NDA
BAA template
Sign-ready Business Associate Agreement template. Most customer legal teams accept on first review.
Under NDA
SOC 2 attestation letter
Current SOC 2 Type II attestation, shareable with procurement and security teams.
24–48h SLA
Security questionnaire response
We respond to vendor security questionnaires in 24–48 hours, with the supporting evidence inline.
Direct contact
Incident response liaison
Named IR lead on every engagement, with escalation path documented in the kickoff packet.
Data handling
PHI, by the book.
PHI encryption
At rest (AES-256) and in transit (TLS 1.2+). Customer-managed keys supported on AWS KMS, Azure Key Vault, Google Cloud KMS.
Data residency
US, EU, UK, APAC — choose at engagement start. PHI never crosses regions without explicit customer approval.
Audit logging
Every PHI access logged to immutable storage. Audit trails exportable to your SIEM (Splunk, Datadog, Sumo, Elastic).
FDA-class SaMD
IEC 62304-aligned SDLC, ISO 14971 risk management, cybersecurity premarket submission documentation (SBOM, threat model, VEX).
Need a specific document?
Tell us what your auditor is asking for. We'll send it.
BAA, SOC 2, security questionnaire, evidence package — most requests are turned around in 24–48 hours under NDA.