Built for healthcare security
HIPAA compliance, end-to-end encryption, and multi-tenant isolation are not afterthoughts — they are foundational to every line of code.
HIPAA Compliant Infrastructure
Our entire stack is designed for healthcare data from the ground up. We use HIPAA-eligible services with signed Business Associate Agreements.
- Supabase (PostgreSQL) with HIPAA BAA for database and authentication
- Vercel with HIPAA BAA for application hosting and edge delivery
- All infrastructure hosted in SOC 2 Type II certified data centers
- Regular third-party security assessments and penetration testing
Encryption Everywhere
All protected health information is encrypted both in transit and at rest using industry-standard protocols.
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for all data at rest
- Encrypted database connections with certificate verification
- No PHI stored in browser local storage or cookies
Multi-Tenant Isolation
Every organization's data is completely isolated at the database level using PostgreSQL Row-Level Security policies.
- Row-Level Security (RLS) on every table containing tenant data
- Database-level enforcement — cannot be bypassed by application code
- Organization-scoped queries verified on every request
- Complete data isolation between practices
Access Controls
Fine-grained role-based access controls ensure only authorized personnel can access sensitive data.
- Role-based access: Owner, Admin, Coder, Provider, Viewer
- Invite-only team management with role assignment
- Session management with automatic timeout
- All access logged in immutable audit trail
Immutable Audit Trail
Every AI decision, code assignment, and user action is logged in an append-only audit log that cannot be modified or deleted.
- Append-only audit log — no UPDATE or DELETE operations permitted
- Every agent decision recorded with reasoning, inputs, and outputs
- User action tracking for all coding reviews and approvals
- Full audit trail exportable for compliance reviews
Secure Application Design
Security headers, input validation, and secure coding practices protect against common web vulnerabilities.
- Strict Content Security Policy and X-Frame-Options headers
- X-Content-Type-Options: nosniff
- Strict-Transport-Security with HSTS preload
- Referrer-Policy: strict-origin-when-cross-origin
- Server-side input validation on all API endpoints
How we handle your data
Data ownership
You own your data. We process it on your behalf and never share it with third parties, use it for AI training, or access it without your authorization.
Data retention
Your data is retained for as long as your account is active. Upon account termination, all PHI is permanently deleted within 30 days, with certification available on request.
Data portability
You can export all your data at any time in standard formats (CSV, JSON). We never lock you in.
AI processing
Clinical notes are processed in real-time by our AI agents. We use Anthropic's Claude API, which does not retain or train on customer data per their enterprise terms.
Business Associate Agreements
What is a BAA?
A Business Associate Agreement (BAA) is a contract between a HIPAA-covered entity (your practice) and a business associate (MedveriCodex) that establishes the permitted uses and disclosures of PHI.
Who signs the BAA?
MedveriCodex signs BAAs with all customers handling PHI. Our infrastructure providers (Supabase, Vercel) also maintain BAAs with us, creating a complete chain of compliance.
How do I get a BAA?
BAAs are available on request for Starter and Professional plans, and included by default with Enterprise plans. Contact us at security@medvericodex.com to initiate.
Questions about security?
Our team is available to discuss your security requirements and provide detailed compliance documentation.