Role-based access control, immutable audit logs, encrypted data at every layer, 2FA, HIPAA training modules, and entitlement-based feature gating — protecting patient data is foundational to everything we build.
Patient data is protected with industry-standard encryption both at rest and in transit, with strict access controls ensuring only authorized users see what they need to see.
All patient data, clinical records, and communications are encrypted with AES-256 in the database and file storage.
All API calls, WebSocket connections, and file transfers use TLS 1.2+ with HSTS enforcement and certificate pinning.
Outbound SMS and email messages never include diagnosis codes, medication names, or other sensitive clinical data.
Every API endpoint is protected by policy-based authorization. Users only see data appropriate to their role — patients see their own records, providers see their patients, admins manage their clinic.
Multiple authentication methods for different contexts — from traditional password + 2FA for staff to passwordless magic links for patient convenience.
SMS-based 2FA with TOTP automatic fallback when SMS is unavailable — ensuring staff always have a secure second-factor option.
Passwordless authentication via signed, time-limited email links — ideal for patients who need quick portal access without password management.
New patients and staff join via secure invitation links with role-adaptive registration, consent capture, and automatic clinic assignment.
Every data access, modification, approval, and communication is time-stamped and stored in an immutable log — giving your practice complete regulatory traceability.
Automatic model-level logging for creates, updates, and deletes. Middleware-based logging for all PHI read access. Manual logging for custom clinical actions. No gaps.
7 built-in training modules for staff with progress tracking, pass/fail scoring, and completion certificates — ensuring compliance before accessing patient data.
Entitlement-based feature gating lets administrators enable or disable capabilities per clinic — telehealth, insurance, shipment tracking, and more — so your team only sees what's relevant.
Administrators control which features are active for each clinic. Disabled features are hidden from the UI entirely — no confusion, no accidental access.
Feature gates are enforced at the API level — not just the UI. Disabled features return proper authorization errors even if accessed directly.
Add new clinics with pre-configured entitlement profiles. As your practice grows, new locations inherit the right capabilities from day one.
Schedule a security-focused demo and we'll walk you through access controls, audit logs, and compliance features.