Security & Compliance

We protect PHI with encryption, access controls, and audit-ready logs. BAAs available for Enterprise customers.

BAA & HIPAA

We sign Business Associate Agreements (BAAs) with Enterprise customers handling PHI.

HIPAA compliance: RxAI is designed to support HIPAA requirements for the services we provide. There is no official HIPAA "certification"; instead, we implement administrative, physical, and technical safeguards and sign BAAs.

HIPAA Ready

Business Associate Agreements available

Data Protection

Encryption in Transit

TLS 1.2+ for all data transmission

Encryption at Rest

AES-256 encryption for stored data

Key Management

Managed KMS (cloud provider)

Data Residency

US-based data centers (configurable)

Access Controls

RBAC, least privilege, SSO/SAML

Identity Management

Multi-factor authentication required

Audit & Logging

Video Documentation

For Enterprise customers, we provide video documentation of every Rx dispensed with immutable logs including capture time, device, Rx #/NDC, and user ID.

  • Tamper-evident write-once storage
  • Cryptographic hash verification
  • Complete audit trail for each transaction
  • Export by date range, Rx #, or user

Video Documentation

Every action recorded and verified

Export Options

By Date Range

Export all records within specified dates

By Rx Number

Find specific prescription records

By User

Track individual user activity

Data Retention

Default Retention

18 months for video/logs; configurable per enterprise contract.

Deletion Process

Deletion on request with verified admin approval. Backups follow the same retention schedule.

Compliance Support

  • Legal hold support
  • Custom retention periods
  • Automated deletion
  • Audit documentation

Secure Development

Code Reviews

All code peer-reviewed before deployment

Dependency Scanning

Automated vulnerability detection

Secrets Management

Encrypted secrets, no hardcoded credentials

Environment Isolation

Separate dev, staging, and production

Vulnerability Management

Regular Security Scans

Automated vulnerability assessments of code and infrastructure.

Penetration Testing

Annual third-party security assessments with published summaries.

Patch Management

Critical patches prioritized and deployed within 48 hours.

Security Monitoring

24/7 security monitoring and incident response.

Incident Response

1

Detection

24/7 monitoring systems

2

Triage

Immediate assessment and classification

3

Containment

Isolate and remediate threats

4

Notification

Customer notification per BAA and law

24/7 on-call security team with defined response procedures and customer notification protocols.

Subprocessors

Cloud Infrastructure

  • • AWS (cloud hosting and storage)
  • • CloudFlare (CDN and DDoS protection)

Monitoring & Analytics

  • • DataDog (infrastructure monitoring)
  • • PostHog (product analytics)

Security Services

  • • Auth0 (identity management)
  • • AWS KMS (key management)

Communication

  • • Twilio (notifications)
  • • SendGrid (email delivery)

Last updated: January 2025

Questions about security?

Contact our security team or request our detailed security brief.

security@getrxai.com