Security & Compliance

1. Data Security Architecture

1.1 Zero-Retention Design

Our architecture is designed from the ground up to never persist healthcare data:

• No Database Storage: Healthcare data is never written to any database
• No Log Files: API request bodies containing PHI are never logged
• Memory-Only Processing: Data exists only in memory during conversion
• Immediate Disposal: All data is discarded after API response is sent

1.2 Encryption Standards

2. API Security Best Practices

2.1 Authentication

• API Key Authentication: Secure bearer tokens for all requests
• Key Rotation: Ability to rotate API keys without downtime
• Scoped Permissions: Granular access control per API key

2.2 Request Security

• HTTPS Only: All API endpoints require HTTPS
• Rate Limiting: Protection against abuse and DDoS
• Input Validation: Strict validation of all inputs
• Request Signing: Optional HMAC request signing for sensitive operations

2.3 Response Security

• Security Headers: HSTS, X-Content-Type-Options, X-Frame-Options
• CORS Protection: Configurable cross-origin policies
• No Sensitive Data in URLs: PHI never transmitted via query parameters

3. Infrastructure Security

3.1 Cloud Infrastructure

Our services run on enterprise-grade cloud infrastructure with:

• SOC 2 Type II certified data centers
• Geographic redundancy across multiple regions
• Automated failover and disaster recovery
• 24/7 infrastructure monitoring

3.2 Network Security

• Web Application Firewall (WAF)
• DDoS protection
• Network segmentation
• Intrusion detection and prevention

4. Compliance

4.1 HIPAA Compliance

• Business Associate Agreement (BAA): Available for Enterprise customers
• Technical Safeguards: Encryption, access controls, audit capabilities
• Administrative Safeguards: Policies, training, and incident response procedures

4.2 Additional Compliance

5. Operational Security

5.1 Access Control

• Principle of least privilege for all systems
• Multi-factor authentication (MFA) required for employees
• Role-based access control (RBAC)
• Regular access reviews and audits

5.2 Monitoring & Logging

• Real-time security monitoring
• Audit logs for all administrative actions
• Anomaly detection and alerting
• Note: Logs never contain PHI or healthcare data content

5.3 Incident Response

• Documented incident response procedures
• 24/7 on-call security team
• Customer notification within 72 hours of confirmed breaches
• Post-incident analysis and remediation

6. Development Security

• Secure SDLC: Security integrated into development lifecycle
• Code Reviews: All changes reviewed before deployment
• Dependency Scanning: Automated vulnerability scanning
• Penetration Testing: Regular third-party security assessments
• Bug Bounty: Responsible disclosure program (coming soon)

7. Data Processing Locations

Our primary data processing occurs in the following regions:

• United States: Primary processing region
• European Union: Available for GDPR compliance (on request)

Remember: Since we don't store healthcare data, there is no data residency concern for PHI. Processing occurs in-memory and data is immediately discarded.

8. Customer Responsibilities

Security is a shared responsibility. As our customer, you are responsible for:

• Securing your API keys and credentials
• Implementing appropriate access controls in your systems
• Ensuring your use of our API complies with applicable regulations
• Validating converted data before clinical use
• Reporting any security concerns to our team

9. Security Contact

To report security vulnerabilities or concerns:

For general inquiries about our security practices or to request documentation (SOC 2 reports, BAA, etc.), please contact [email protected].

10. Security FAQ