Sales sales@xehr.io Support support@xehr.io
Get a Demo
sales@xehr.io
Security & Trust Center

Security That Doesn't Compromise.
Neither Should Your EHR.

xEHR is architected from day one for healthcare's strictest security requirements. Every organization gets dedicated infrastructure, every action is audited, and every byte of PHI is encrypted.

View BAA See All Controls
100%
PHI in Dedicated Stores
per organization
AES-256
Encryption Standard
at rest + in transit
0
Shared Databases
between tenants
TLS 1.3
Transport Security
all connections
HIPAA
Compliant by Design
BAA on every plan
Audit Log Retention
immutable, per-org
Architecture

Complete Tenant Isolation — By Design

Every organization in xEHR is a fully isolated unit. No shared databases, no shared FHIR stores, no shared storage. A compromise of one tenant is architecturally isolated from all others.

PHI Store

Dedicated FHIR R4 Store

Each organization gets its own isolated Google Cloud Healthcare API FHIR R4 datastore. PHI never comingles across tenant boundaries. Store-level IAM enforces isolation at the cloud layer.

Workflow DB

Dedicated PostgreSQL Database

Workflow data (claims, encounters, audit logs, payments) lives in a database isolated per organization. Smaller clinics share a Cloud SQL instance with row-level access controls; mid-size and enterprise customers get dedicated instances.

Document Store

Dedicated Storage Bucket

Documents, EDI files, and PDF reports are stored in a Cloud Storage bucket unique to each organization. Bucket-level IAM and Cloud KMS keys prevent cross-tenant data access.

Network

Unique Subdomain

Each organization gets a dedicated subdomain (org.xehr.io) with isolated session state. Cross-origin policies prevent any browser-level data leakage between tenant sessions.

Auth

JWT-Scoped API Access

Every API request carries a signed JWT token. The backend extracts tenant identity exclusively from the JWT — never from query parameters or request bodies. IDOR attacks are architecturally prevented.

Audit

Dual-Write Audit Logs

Every PHI access and modification writes to both an immutable per-org PostgreSQL audit table and a FHIR AuditEvent resource. Logs are append-only and cannot be deleted by org users.

Encryption

Encrypted Everywhere, Always

PHI is never stored or transmitted in plaintext. Encryption is applied at every layer of the stack — application, transport, storage, and database.

Application Layer
AES-256-GCM with authenticated encryption — fields are encrypted before writing to FHIR or DB
Transport
TLS 1.3 enforced on all connections — older cipher suites rejected at load balancer
FHIR Store at Rest
Google-managed AES-256 encryption for all FHIR resources
Database at Rest
Cloud SQL transparent encryption with customer-configurable CMEK for enterprise tiers
Object Storage
Cloud Storage default encryption + optional CMEK per bucket per org
Key Management
Cloud KMS key rotation policies; enterprise orgs can bring their own encryption keys
Access Control

Zero Trust, Every Request

No request is trusted by default — every API call is authenticated, authorized against a tenant-scoped JWT, and logged.

Role-Based Access Control
Distinct roles for physicians, nurses, billing staff, receptionists, and admins. Users only access their scope.
TOTP Multi-Factor Authentication
Authenticator-app MFA enforced for all users. Fail-closed — MFA cannot be bypassed on error.
Instant Deactivation
Deactivated users are blocked on the very next API request — no session grace window.
JWT-Only Tenant Scoping
Tenant identity extracted exclusively from signed JWT. Query-param org_id overrides are architecturally blocked.
CSRF Protection
Double-submit cookie CSRF protection on all state-mutating endpoints.
IP + Rate Limiting
Per-IP and per-user rate limiting prevents brute-force and enumeration attacks.
Compliance

Built for Healthcare's Strictest Standards

xEHR is designed to satisfy HIPAA Security Rule requirements end-to-end, with infrastructure-level certifications from our cloud provider.

HIPAA Privacy Rule

  • Minimum necessary access enforced by RBAC
  • Patient access request workflow
  • Notice of Privacy Practices included
  • Third-party disclosures tracked in audit log

HIPAA Security Rule

  • Technical safeguards: encryption, auth, audit
  • Physical safeguards: cloud-managed data centers
  • Administrative safeguards: policies + training docs
  • 164.312 addressable spec coverage documented

HIPAA Breach Rule

  • Audit logs enable breach detection + scope analysis
  • Immutable logs cannot be altered post-breach
  • BAA establishes notification obligations
  • Incident response runbooks provided

Infrastructure Certifications

  • ISO 27001 certified cloud provider
  • SOC 2 Type II certified infrastructure
  • PCI DSS Level 1 certified for payment handling
  • FedRAMP Moderate authorized services
Security Engineering

Security Woven Into Every Commit

🔍

OWASP Top 10 Coverage

SQL injection, XSS, IDOR, CSRF, command injection, insecure direct object reference — all addressed in architecture and code review checklists.

🛡️

Input Validation

All user input validated at system boundaries. File uploads are extension-whitelisted, size-capped, and filename-sanitized before storage.

🔒

Secrets Management

Zero secrets in source code. All credentials stored in Google Secret Manager, injected at runtime via Cloud Run secret bindings.

📋

Dependency Scanning

Automated vulnerability scanning in CI. Dependency updates reviewed weekly. No known critical CVEs in production dependencies.

📊

Security Logging

All authentication events, privilege escalations, PHI access, and API errors are logged with user ID, IP, timestamp, and action detail.

🏗️

Secure SDLC

Security review required for all backend changes. Tenant isolation checklist must pass before any API endpoint is merged.

Operational Security

Always On, Always Protected

Security doesn't sleep. Neither does our infrastructure monitoring.

Automated Backups

Daily point-in-time backups for all org databases with 30-day retention. Backups are encrypted and stored in geographically separated regions.

Disaster Recovery

Multi-zone database replication with automatic failover. Recovery Time Objective (RTO) < 1 hour. Recovery Point Objective (RPO) < 5 minutes.

Incident Response

Defined incident response playbook covering detection, containment, eradication, and notification. Breach notification delivered within 72 hours.

Access Reviews

Quarterly access reviews for all infrastructure and admin-level accounts. Principle of least privilege enforced. Unused credentials revoked immediately.

Uptime Monitoring

24/7 synthetic monitoring on all critical API endpoints and FHIR stores. On-call rotation ensures sub-15-minute response to P0 incidents.

Penetration Testing

Annual third-party penetration testing covering web application, API, and infrastructure layers. Findings addressed before next production release.

Responsible Disclosure

Found a Vulnerability?

We take security reports seriously. If you discover a potential vulnerability in xEHR, we want to know. Report responsibly and we'll acknowledge your disclosure, investigate promptly, and keep you informed.

security@xehr.io

Our Commitment to Reporters

Acknowledgment within 24 hours
Initial triage and severity assessment within 72 hours
Regular status updates throughout investigation
Public credit (if desired) after patch is released
No legal action for good-faith disclosures

BAA Included on Every Plan

Every xEHR customer gets a signed Business Associate Agreement at no additional cost. We also maintain BAAs with all sub-processors that handle PHI on our behalf.

Read Our BAA Talk to Security Team
Start Today

Ready to Transform Your Revenue Cycle?

Join healthcare organizations already using xEHR to simplify billing, reduce denials, and get paid faster.

Schedule a Demo View Pricing
xEHR

xEHR Concierge

Online
xEHR

Hi! I'm the xEHR Concierge — ask me anything about xEHR (pricing, features, demos, comparisons, support):

  • Platform features
  • Pricing plans
  • HIPAA compliance
  • Schedule a demo

Powered by xEHR