Built for HIPAA-grade security and auditability.
Pre-empt IT and compliance blockers. DocuFindr is built from the ground up to protect ePHI and sensitive commercial data, following HIPAA Security Rule requirements.
HHS describes the HIPAA Security Rule as establishing national security standards and requiring administrative, physical, and technical safeguards for electronic protected health information (ePHI).
Security controls
Encryption at Rest & In Transit
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Encryption keys are managed with industry-standard key management practices.
Access Control & RBAC
Granular role-based access control ensures users only see the workflows and PHI/PII they are authorised to process. Support for SSO/SAML integration.
Immutable Audit Logs
Every document view, field edit, workflow action, and status change is logged in immutable, tamper-evident audit trails. Designed for HIPAA compliance reviews.
Data Minimisation
Configurable retention policies automatically purge or redact documents after processing, minimising your attack surface and data liability.
Monitoring & Alerting
Continuous monitoring for anomalous access patterns and potential security events. Real-time alerts for administrative oversight.
Infrastructure Security
Deployed on SOC 2-compliant cloud infrastructure with network segmentation, DDoS protection, and regular penetration testing.
HIPAA Security Rule alignment
The HIPAA Security Rule requires three categories of safeguards. Here is how DocuFindr addresses each:
Administrative Safeguards
- Security management processes
- Workforce training & awareness
- Information access management
- Contingency planning & backups
- Regular security evaluations
Physical Safeguards
- Facility access controls
- Workstation security policies
- Device and media controls
- SOC 2-compliant data centres
- Physical access logging
Technical Safeguards
- Access control (unique user IDs)
- Audit controls & logging
- Integrity controls for ePHI
- Transmission security (TLS)
- Encryption at rest (AES-256)
Certifications & compliance
HIPAA
BAA available on request
SOC 2 Type II
Unspecified - confirm during security review
HITRUST
Unspecified - confirm during security review
Business Associate Agreement
Available for all customers processing ePHI
Where specific certifications are noted as "Unspecified," DocuFindr will provide documentation and evidence during the security review phase of a pilot engagement.
Need a detailed security review?
Every pilot engagement includes a security review pack. For immediate questions, our engineering team is available for a dedicated security / compliance call.