Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA

Security & Compliance

How we protect your data and demonstrate it.

Certifications & Attestations

OnlyHIPAA is built to meet the bar customers in regulated industries expect from their compliance vendor:

  • HIPAA — we operate as a Business Associate under the HIPAA Security, Privacy, and Breach Notification Rules and execute a BAA with every customer that stores PHI.
  • SOC 2 Type II — independently audited against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. Reports are available under NDA on request.
  • NIST CSF / 800-53 alignment — our control framework maps to NIST CSF and the HIPAA-relevant 800-53 control families.

Data Protection

  • Encryption in transit: TLS 1.3 (1.2 minimum) enforced on all connections, HSTS preload list, certificate pinning on critical endpoints.
  • Encryption at rest: AES-256 on all primary databases and object storage, with per-tenant key separation for sensitive fields.
  • Key management: KMS-backed keys with automated rotation; no shared secrets in code.
  • Backups: encrypted, geo-redundant, with point-in-time recovery and regularly tested restores.

Authentication & Access Controls

  • NIST SP 800-63B aligned authentication: Argon2id password hashing and a breached-password check against known-compromised credentials.
  • Strong MFA: via authenticator apps (TOTP), passkeys, or hardware security keys (FIDO2 / WebAuthn), enforceable per-organization policy.
  • SSO/SAML, SCIM provisioning, and IP allowlisting available on Enterprise plans.
  • Role-based access control with least-privilege defaults.
  • Server-side, revocable sessions with idle and absolute timeouts, configurable per-organization.
  • Every action is written to an immutable, tamper-evident audit log retained for six years (per 45 CFR §164.530(j)(2)).

Application Security

  • CSRF, XSS, SQL-injection, and SSRF defenses applied uniformly through framework-level controls
  • Content Security Policy with per-request nonces; strict referrer and frame-ancestor policies
  • Static analysis on every commit; PHPStan at the strictest level on the core platform
  • Annual third-party penetration test; bug-bounty program for high-severity findings

Infrastructure

  • U.S.-based hosting on SOC 2-attested cloud providers
  • Network segmentation with private subnets for all data stores
  • Continuous vulnerability scanning and same-day patching on critical CVEs
  • DDoS protection and WAF in front of all public endpoints

Incident Response

We follow a documented incident-response plan with defined severity tiers and notification SLAs. Customers are notified of any security incident affecting their data within the timeframes required by our BAA and applicable law — in no case later than 60 days from discovery of a reportable breach, and typically much sooner.

Reporting a Vulnerability

Security researchers and customers can report vulnerabilities to [email protected]. We acknowledge reports within one business day and aim to triage within three. Coordinated disclosure preferred.

Trust Documents

Customers and prospects under NDA can request the following from [email protected]:

  • SOC 2 Type II report
  • Penetration-test executive summary
  • HIPAA Security Rule mapping
  • Subprocessor list
  • Business continuity / disaster recovery plan summary

View our BAA template →

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.