Built for healthcare's security requirements.
Compliance is an architecture decision we make on day one, not a marketing claim we bolt on for the sales call. Below is exactly what we do, what we do not do, who else touches your data, and the artifacts your compliance officer can have in hand before you sign anything.
Architecture, policies, and training designed against the HIPAA Security Rule from day one.
We sign a Business Associate Agreement with every covered entity and every sub-processor in the stack.
Patient data encrypted at rest with AES-256, in transit with TLS 1.3. Keys rotated on a schedule.
Every read, write, and admin action logged, queryable, and exportable for HIPAA’s retention requirements.
What "HIPAA-ready" actually means here.
HIPAA-ready is not a certification — it is a posture. Below is the plain-English version of what we do, and the lines we deliberately do not cross. If you want the full Security Rule mapping document, it is available on request.
- Architect every system around the HIPAA Security, Privacy, and Breach Notification Rules.
- Sign a BAA with you, and with every sub-processor that may touch PHI.
- Encrypt PHI at rest (AES-256) and in transit (TLS 1.3). Rotate keys on a schedule.
- Apply least-privilege access. SSO + MFA + role-based controls org-wide.
- Log every PHI read, write, export, and admin action. Retain for six years.
- Document data-flow diagrams, retention policies, and incident-response playbooks.
- Train every staff member with access to PHI before they receive credentials.
- Run annual security risk assessments and quarterly access reviews.
- Use your patient data to train third-party models. PHI never leaves a BAA-covered boundary.
- Store PHI in prompt logs, browser sessions, or any system without encryption.
- Share, sell, or sub-license your data. Ever.
- Hold your data hostage. Clean offboarding from day one — your data, your schemas, handed back.
- Pretend to be SOC 2 certified before we are. We will publish the report when it is issued, not before.
- Push a contract before you have seen our BAA, sub-processor list, and data-flow diagram.
Encryption, retention, residency.
The mechanical questions your security team will ask, with the answers in writing. Anything missing from this list is something we will tell you on the discovery call.
- Encryption at rest
- AES-256 on all PHI stores. Database, object storage, backups, exports — all encrypted with managed KMS keys, rotated on a schedule.
- Encryption in transit
- TLS 1.3 enforced on every API, every database connection, every internal service-to-service call. HSTS preload, no weak ciphers.
- Key management
- Cloud-managed KMS. Keys live in HSM-backed storage. No key material in application code, environment variables, or CI logs.
- Data residency
- US-only by default. PHI never leaves a US-region BAA-covered boundary unless you explicitly opt in to a different region.
- Retention
- Audit logs: 6+ years (HIPAA requirement). PHI workflows: per the data-retention policy you sign, with hard end-of-contract deletion.
- Disposal
- Cryptographic erasure on contract close. Certificate of destruction provided. No quiet "we keep it for analytics" footnotes.
- Model training
- Your PHI is never used to train third-party models. BAA-covered model providers contractually agree to zero-retention prompts.
- Backups
- Encrypted incremental backups, geographically separated within the US. Tested restore quarterly. Backups age out on the same schedule as production.
Who can see what, what gets logged, and what happens when something goes wrong.
Access controls
- SSO + MFA enforced org-wide.
- Role-based access. Least privilege by default.
- Just-in-time elevation for break-glass scenarios, fully logged.
- Offboarding revokes access in minutes, not days.
- Quarterly access reviews on every role with PHI scope.
Audit & observability
- Every PHI read, write, export, and admin action logged.
- 6+ year retention, queryable, exportable on request.
- Tamper-evident storage. Logs cannot be modified after write.
- Your compliance officer can answer "who looked at this chart" in under a minute.
- Operational telemetry has PHI scrubbed before it ever leaves the BAA boundary.
Incident response
- Documented playbook with named roles and a paging chain.
- 24-hour customer notification window for any incident touching PHI.
- A human picks up the phone — not a ticket portal, not a status page that updates six hours late.
- Post-incident report shared in writing within 10 business days.
- Annual tabletop exercise against the playbook.
The full list of vendors that may touch your data.
Every name on this list has a signed BAA with AUOGE (or, where marked N/A, never touches PHI). The list is maintained, and you are notified before any new vendor is added. No quiet additions.
| Vendor | Purpose | BAA | Data class |
|---|---|---|---|
| OpenAI (Enterprise / Azure) | Language model inference for patient comms and documentation drafting | Signed | PHI under BAA |
| Anthropic (Enterprise) | Language model inference for clinical summarization | Signed | PHI under BAA |
| Amazon Web Services (AWS) | HIPAA-eligible hosting, storage, and compute infrastructure | Signed | PHI under BAA |
| Twilio | Voice and SMS communication with patients | Signed | PHI under BAA |
| SendGrid (Twilio) | Transactional email delivery to patients and staff | Signed | PHI under BAA |
| Cloudflare | CDN, DDoS protection, edge security | Signed | Encrypted transit only |
| Datadog | Observability, error tracking, log aggregation | Signed | Operational telemetry — PHI scrubbed |
| Stripe | Payment processing for AUOGE invoices (no patient billing data) | N/A — no PHI | Payment data only |
Names listed above refer to vendors whose products we use under standards-based integrations and signed agreements. AUOGE is not affiliated with or endorsed by these vendors. The list is current as of the date of your engagement; any change is communicated to active customers in writing.
Where we are. In writing.
We are deliberately honest about where we are on the SOC 2 path because pretending costs more trust than it earns. Here is the current state and the timeline.
- DonePolicies & controls drafted
Information security, access, change management, incident response, vendor management, business continuity, and data classification policies all written and adopted.
- DoneInternal controls operating
Quarterly access reviews, encryption verification, log retention checks, vendor BAA tracking, and onboarding/offboarding workflows running on schedule.
- In progressSOC 2 Type I readiness
Working with an external auditor to validate control design. Target: report issued within the next 6 months.
- NextSOC 2 Type II observation window
Begins immediately after Type I. Twelve-month observation; final report follows.
- Available nowCompliance artifacts under NDA
Everything below — BAA, sub-processor list, data-flow diagram, IR playbook, policies — is available before you sign anything. Ask on the discovery call.
The documents your compliance team will ask for. Available under NDA before any contract.
We share these before you sign, not after. If a vendor will not give you their data-flow diagram on the discovery call, that is information about the vendor.
BAA template
Our standard Business Associate Agreement, ready to redline.
Data-flow diagram
How PHI moves through our stack, from ingestion to storage to deletion.
Sub-processor list
Maintained list of every vendor that may touch your data, with their BAA status.
Incident-response playbook
Notification timelines, escalation contacts, forensic steps. The actual document, not a summary.
Access-control matrix
Who on our team can see what, under what conditions, and how it is revoked.
Data-retention policy
What we keep, for how long, where, and how it is destroyed at end of contract.
Send the questions your compliance officer would ask.
Email, phone, or the form. A real engineer answers — not an AE, not a chatbot. If we cannot answer in writing, we will tell you why on the same reply.