Enterprise-Grade Security
Your patients' data is protected by industry-leading security infrastructure, encryption, and access controls.
Security Controls in Place
These are the security measures actively protecting your data today.
HIPAA Compliant
Full compliance with HIPAA Privacy and Security Rules. Business Associate Agreement (BAA) signed with our cloud infrastructure provider. Administrative, physical, and technical safeguards implemented.
AES-256-GCM Encryption
All application-level data encrypted with AES-256-GCM (authenticated encryption). Cloud infrastructure provides additional AES-256 encryption at rest for all storage, databases, and FHIR stores. TLS 1.3 for all data in transit.
Multi-Factor Authentication
TOTP-based MFA enforced for all users across all roles (administrators, providers, and staff). Fail-closed design ensures MFA cannot be bypassed even during system errors.
Audit Logging
Comprehensive audit trails for all data access and modifications. Per-organization isolated audit logs. HIPAA-required event tracking with user, action, timestamp, and IP address.
Role-Based Access Control
Granular RBAC with distinct roles for physicians, nurses, billing staff, administrators, and more. Users only access data required for their role. Immediate deactivation blocks all access.
Physical Data Isolation
Each organization receives a dedicated FHIR store, dedicated PostgreSQL database, and dedicated cloud storage bucket. No shared data stores between tenants. Complete physical isolation.
Infrastructure Security
Built on cloud-native, security-certified infrastructure.
Cloud-Native Architecture
xEHR runs on SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, HITRUST CSF, and FedRAMP certified cloud infrastructure with auto-scaling, zero-downtime deployments, and global availability.
FHIR R4 Clinical Data Stores
All clinical data (PHI) is stored in dedicated, HIPAA-compliant FHIR R4 stores with native interoperability, covered under our signed BAA.
Managed Database with Private Networking
PostgreSQL databases run on fully managed cloud infrastructure with automatic encryption at rest (AES-256), automated backups, and high availability configurations.
Compliance Roadmap
Our planned path to additional certifications.
SOC 2 Type I Audit
Engage third-party auditor to assess security controls at a point in time.
SOC 2 Type II Certification
6-month observation period audit for ongoing security control effectiveness.
HITRUST CSF Assessment
Begin HITRUST r2 validated assessment for healthcare-specific compliance framework.
Business Associate Agreement
xEHR provides a signed Business Associate Agreement (BAA) to all customers, ensuring HIPAA compliance for the handling of Protected Health Information (PHI). We also maintain a BAA with our cloud infrastructure provider covering all services used to store and process PHI.
View BAATransparency note: xEHR is built on SOC 2 and HITRUST-certified cloud-native infrastructure, but xEHR itself has not yet completed independent SOC 2 or HITRUST audits. We are committed to pursuing these certifications as outlined in our roadmap above. Our current security posture follows HIPAA Technical Safeguards and industry best practices.