Enterprise-Grade Security
Your patients' data is protected by industry-leading security infrastructure, encryption, and access controls.
Security Controls in Place
These are the security measures actively protecting your data today.
HIPAA Compliant
Full compliance with HIPAA Privacy and Security Rules. Business Associate Agreement (BAA) signed with our cloud infrastructure provider. Administrative, physical, and technical safeguards implemented.
AES-256-GCM Encryption
All application-level data encrypted with AES-256-GCM (authenticated encryption). Cloud infrastructure provides additional AES-256 encryption at rest for all storage, databases, and FHIR stores. TLS 1.3 for all data in transit.
Multi-Factor Authentication
TOTP-based MFA enforced for all users across all roles (administrators, providers, and staff). Fail-closed design ensures MFA cannot be bypassed even during system errors.
Audit Logging
Comprehensive audit trails for all data access and modifications. Per-organization isolated audit logs. HIPAA-required event tracking with user, action, timestamp, and IP address.
Role-Based Access Control
Granular RBAC with distinct roles for physicians, nurses, billing staff, administrators, and more. Users only access data required for their role. Immediate deactivation blocks all access.
Physical Data Isolation
Each organization receives a dedicated FHIR store, dedicated PostgreSQL database, and dedicated cloud storage bucket. No shared data stores between tenants. Complete physical isolation.
Infrastructure Security
Built on cloud-native, security-certified infrastructure.
Cloud-Native Architecture
xEHR runs on enterprise-grade cloud infrastructure independently certified under SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, HITRUST CSF r2, and FedRAMP (Moderate ATO). These certifications belong to our infrastructure provider. xEHR's own SOC 2 audit is planned for Q3 2026 (see roadmap below).
FHIR R4 Clinical Data Stores
All clinical data (PHI) is stored in dedicated, HIPAA-compliant FHIR R4 stores with native interoperability, covered under our signed BAA.
Managed Database with Private Networking
PostgreSQL databases run on fully managed cloud infrastructure with automatic encryption at rest (AES-256), automated backups, and high availability configurations.
Compliance Roadmap
Our planned path to additional certifications.
SOC 2 Type I Audit
Engage third-party auditor to assess security controls at a point in time.
SOC 2 Type II Certification
6-month observation period audit for ongoing security control effectiveness.
HITRUST CSF Assessment
Begin HITRUST r2 validated assessment for healthcare-specific compliance framework.
Business Associate Agreement
xEHR provides a signed Business Associate Agreement (BAA) to all customers, ensuring HIPAA compliance for the handling of Protected Health Information (PHI). We also maintain a BAA with our cloud infrastructure provider covering all services used to store and process PHI.
View BAATransparency note: The SOC 2, ISO 27001, HITRUST CSF, and FedRAMP certifications listed above belong to our cloud infrastructure provider — not to xEHR directly. xEHR itself has not yet completed its own independent audits. We are actively pursuing SOC 2 Type I (Q3 2026) and SOC 2 Type II (Q1 2027) as shown in our roadmap. Our current security posture follows HIPAA Technical Safeguards, and we leverage our certified infrastructure as a foundation — including up to 70–85% inherited HITRUST controls when we pursue that certification. We believe transparency here is important: if you need a certified vendor today, please contact us to discuss your specific requirements.