Trust Center
How we protect your data and maintain the highest standards of security and privacy.
Security Architecture
Encryption at Rest
All data encrypted with AES-256. Passwords hashed with Argon2id. Database encrypted at the storage layer (AWS RDS).
Encryption in Transit
All connections use TLS 1.2 or higher. No unencrypted data transmission between any system components.
Network Isolation
Services run in isolated VPC environments with security group restrictions. No public database access.
Authentication
JWT-based authentication with 15-minute session timeouts. Service-to-service communication via API key authentication.
Data Flow
Upload
Bill image encrypted and stored temporarily
OCR Processing
Text extracted in memory, image not retained after extraction
Analysis
Charges compared against federal benchmark databases
Results
Findings stored encrypted, associated with your account
Dispute (if authorized)
Letters generated and delivered via encrypted channels
Archive / Delete
Case files archived per retention policy, then deleted
Subprocessor Categories
All third-party services that handle protected health information (PHI) have executed Business Associate Agreements (BAAs).
| Category | Purpose | BAA |
|---|---|---|
| Cloud Infrastructure | Compute, storage, database hosting | |
| Payment Processing | Credit card handling (PCI-DSS Level 1) | |
| Communication Delivery | Fax, email, voice, and mail dispatch | |
| Document Processing | OCR and text extraction | |
| CDN & DNS | Content delivery and domain management | N/A — no PHI |
Data Retention Schedule
| Data Type | Retention | After Retention |
|---|---|---|
| Bill images (no account) | Deleted immediately after scan | Permanently deleted |
| Bill images (account, no case) | 30 days | Permanently deleted |
| Case files (after closure) | 90 days | Permanently deleted |
| HIPAA authorization records | 6 years | Archived, then deleted |
| Legal/dispute documents | 6 years | Archived (Glacier), then deleted |
| De-identified analytics | Indefinite | All 18 HIPAA identifiers removed |
| Account data (after closure) | 30 days | Permanently deleted |
| Audit logs | 6 years | Archived |
Access Controls
- Role-based access control (RBAC) — consumers see only their own data
- Admin access restricted to anonymized aggregates for platform operations
- No employee access to raw PHI without an immutable audit log entry
- Minimum necessary access principle applied at every level
- 15-minute session timeouts with automatic re-authentication
Incident Reporting
If you believe there has been a security incident or unauthorized access to your data, contact us immediately:
Contact Support — select "HIPAA / Privacy Concern" as the subject.
We acknowledge security reports within 24 hours and provide initial assessment within 72 hours.
Data Deletion
You can request deletion of your data at any time via our contact form. Deletion is completed within 30 days, except for records we are legally required to retain (HIPAA authorization records — 6 years).
Audit Logging
All access to protected health information is recorded in immutable audit logs. Logs include: who accessed the data, when, what was accessed, and from where. Audit logs are retained for 6 years per HIPAA requirements.
Compliance Status
Current
- HIPAA compliant (Privacy, Security, Breach Notification Rules)
- BAAs with all PHI-handling subprocessors
- AES-256 encryption at rest, TLS 1.2+ in transit
- Immutable audit logging
Roadmap
- SOC 2 Type II audit
- HITRUST CSF certification
- Annual third-party penetration testing