OnlyHIPAA

Security & Compliance

How we protect your data and demonstrate it.

Certifications & Attestations

OnlyHIPAA is built to meet the bar customers in regulated industries expect from their compliance vendor:

  • HIPAA — we operate as a Business Associate under the HIPAA Security, Privacy, and Breach Notification Rules and execute a BAA with every customer that stores PHI.
  • SOC 2 Type II — independently audited against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. Reports are available under NDA on request.
  • NIST CSF / 800-53 alignment — our control framework maps to NIST CSF and the HIPAA-relevant 800-53 control families.

Data Protection

  • Encryption in transit: TLS 1.2+ enforced on all connections, HSTS preload list, certificate pinning on critical endpoints.
  • Encryption at rest: AES-256 on all primary databases and object storage, with per-tenant key separation for sensitive fields.
  • Key management: KMS-backed keys with automated rotation; no shared secrets in code.
  • Backups: encrypted, geo-redundant, with point-in-time recovery and regularly tested restores.

Access Controls

  • SSO/SAML, SCIM provisioning, and IP allowlisting available on Pro and Enterprise plans
  • Mandatory multi-factor authentication for administrative roles
  • Role-based access control with least-privilege defaults
  • Session policies with idle and absolute timeouts; configurable per-organization
  • Full audit trail of administrative and data-access events

Application Security

  • CSRF, XSS, SQL-injection, and SSRF defenses applied uniformly through framework-level controls
  • Content Security Policy with per-request nonces; strict referrer and frame-ancestor policies
  • Static analysis on every commit; PHPStan at the strictest level on the core platform
  • Annual third-party penetration test; bug-bounty program for high-severity findings

Infrastructure

  • U.S.-based hosting on SOC 2-attested cloud providers
  • Network segmentation with private subnets for all data stores
  • Continuous vulnerability scanning and same-day patching on critical CVEs
  • DDoS protection and WAF in front of all public endpoints

Incident Response

We follow a documented incident-response plan with defined severity tiers and notification SLAs. Customers are notified of any security incident affecting their data within the timeframes required by our BAA and applicable law — in no case later than 60 days from discovery of a reportable breach, and typically much sooner.

Reporting a Vulnerability

Security researchers and customers can report vulnerabilities to [email protected]. We acknowledge reports within one business day and aim to triage within three. Coordinated disclosure preferred.

Trust Documents

Customers and prospects under NDA can request the following from [email protected]:

  • SOC 2 Type II report
  • Penetration-test executive summary
  • HIPAA Security Rule mapping
  • Subprocessor list
  • Business continuity / disaster recovery plan summary

View our BAA template →