Trust Center

Security is not a feature.
It's the foundation.

PRACTIS is built from the ground up to protect patient data. Every architectural decision prioritizes security, privacy, and compliance.

HIPAA Compliant

Full compliance with the Health Insurance Portability and Accountability Act, including administrative, physical, and technical safeguards.

SOC 2 Type II

Independent third-party audit confirming our controls for security, availability, processing integrity, confidentiality, and privacy.

BAA Available

Business Associate Agreement available for all customers. We sign BAAs before any PHI is processed.

AES-256 Encryption

All data encrypted at rest using AES-256 and in transit using TLS 1.3. Database encryption with customer-managed keys available.

Security Practices

How we protect your data

Data Protection

Encryption at rest
All patient data and clinical records are encrypted using AES-256 encryption at rest in our databases.
Encryption in transit
All data transmitted between your browser and our servers is protected by TLS 1.3 encryption.
Key management
Encryption keys are managed through AWS KMS with automatic rotation every 365 days.
Data residency
All data is stored in SOC 2-certified data centers within the United States.

Access Controls

Role-based access
Granular role-based access controls (RBAC) ensure users only access data relevant to their role.
Multi-factor authentication
MFA is available for all accounts and required for admin-level access.
Session management
Automatic session timeout after 30 minutes of inactivity. Concurrent session limits enforced.
Audit logging
Every access, modification, and deletion is logged with user identity, timestamp, and IP address.

Infrastructure Security

Cloud infrastructure
Hosted on AWS with multi-AZ deployment for high availability and automatic failover.
Network security
VPC isolation, security groups, and WAF protection against common web exploits.
Vulnerability scanning
Continuous automated vulnerability scanning with quarterly third-party penetration testing.
Incident response
24/7 security monitoring with documented incident response procedures and 1-hour notification SLA.

Organizational Security

Employee training
All employees complete HIPAA training upon hire and annually. Security awareness training is mandatory.
Background checks
Comprehensive background checks for all employees with access to customer data.
Vendor management
All third-party vendors undergo security assessment before integration. BAAs signed with all sub-processors.
Business continuity
Documented disaster recovery plan with RPO < 1 hour and RTO < 4 hours. Tested quarterly.
Sub-processors

Third-party services we use

All sub-processors have signed BAAs and undergone security review.

ServicePurposeLocation
Amazon Web ServicesCloud infrastructure and data storageUnited States
OpenAIAI model inference for clinical documentationUnited States
TwilioSMS and voice notificationsUnited States
SendGridTransactional email deliveryUnited States
StripePayment processingUnited States
DatadogApplication monitoring and loggingUnited States

Report a vulnerability

We take security seriously. If you've discovered a vulnerability, please report it responsibly to [email protected]. We respond within 24 hours and offer a bug bounty program for qualifying reports.

Need help?
Ask our AI assistant about pricing, features, or demos.