Security and Privacy

We comply with HIPAA Security Rule guidance. Details are below.

Data Security

  • Each customer’s data is stored in a separate database. We enforce access controls at the database level.
  • Our application is read-only except for uploading EDI files. This reduces the risk of SQL injection and other vulnerabilities.
  • The database is password-protected with a complex password that rotates every 90 days.
  • Uploaded files are deleted automatically after processing.
  • If a customer terminates a subscription, we scrub their data and delete their database.
  • All data can be deleted using the “Delete All” button from the file view.
  • We use encrypted disks and encrypted backups (encryption at rest).

Application Security

  • We use NIST-compliant password policies (password complexity, password expiration, etc.).
  • We use the industry leader Okta as our authentication provider. We do not store user credentials in our database.
  • Application APIs are disabled by default. We use OAuth 2 for API authorization, which is more secure than API keys.
  • We always use the latest LTS Java release with up-to-date security patches.
  • We support 2FA and passkeys.
  • We use secret vaults to store system-level passwords and keys.

Network/Server Security

  • We apply strict firewall rules; only the HTTPS port is open to the public.
  • We use TLS-encrypted communication, including within our own network.
  • The data and application are hosted on dedicated servers in a separate network isolated from public servers.
  • We follow Linux hardening best practices (root and password logins are disabled, unneeded libraries are removed, role-based access is enforced, etc.).
  • Access to production servers and databases is audited.
  • All servers and databases are patched regularly.
  • All servers are hosted in the U.S.

Code Security

View vulnerabilities and security scores for our Docker container images in our Docker Hub repository.

  • We perform security testing for every release.
  • We scan all third-party dependencies/libraries for vulnerabilities.
  • We use secure Linux images for Docker containers.
  • All dependencies are updated with each release.
  • We perform emergency releases in case of zero-day exploits in third-party libraries.