Workers' compensation claims contain medical records and personal health information. AdjudiCLAIMS is built to satisfy HIPAA technical safeguard requirements, SOC 2 Type II controls, and California data protection law.
TLS 1.3
In-Transit Encryption
AES-256
At-Rest Encryption
SOC 2
Type II Compliance Path
HIPAA
Covered Entity Ready
7 yrs
Immutable Audit Retention
MFA
Required for All Users
HIPAA Compliance
Workers' compensation claims are not automatically subject to HIPAA, but they contain medical records that deserve the same level of protection. AdjudiCLAIMS is designed to satisfy HIPAA's technical safeguard requirements.
AdjudiCLAIMS collects only what is necessary to process claims. Medical content is processed for extraction but never stored in logs. Document IDs are logged, not content.
The audit log records user actions and document IDs only. No PHI — no diagnoses, no medical histories, no personal health information — appears in any log entry.
Examiners access only claims assigned to them. Supervisors see their team. Admins see the organization. Cross-tenant access is architecturally impossible.
Business Associate Agreements available for enterprise customers. Our cloud infrastructure is covered under our provider BAA.
DSAR export and right-to-deletion workflows are built in. Examiners can export their data. Admins can execute deletion requests per CCPA/CPRA.
7-year retention for claims-related data per California LC § 3762. Automatic expiry enforcement. Data is not kept longer than required by statute.
Infrastructure
Every service runs with dedicated credentials, private networking, and immutable deployments — no shared accounts, no public database endpoints, no SSH access to production.
All credentials in a dedicated secrets vault. No API keys in environment variables, code, or configuration files. Secrets accessed at runtime only, per-service.
Database on private IP — no public endpoint. All services communicate over a private network only. No direct internet access to the database tier.
Each service has its own dedicated credential with minimum required permissions. No shared service accounts. Principle of least privilege enforced throughout.
Deploys are immutable container images. No SSH access to production. All changes go through CI/CD with automated test gates before reaching any environment.
Cloud Logging + Monitoring on every HTTP request and AI call. Anomaly detection for unusual access patterns. Automated alerts for security events.
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy enforced on all responses. OWASP Top 10 mitigations applied by default.
SOC 2 Type II
AdjudiCLAIMS is built to the SOC 2 Type II standard. Our controls span CC6 (Logical Access), CC7 (System Operations), and CC8 (Change Management).
SOC 2 CC6
Logical & Physical Access
SOC 2 CC7
System Operations
SOC 2 CC8
Change Management
Authentication
No bypass option. No exceptions. TOTP is required on every login for every account.
All users must configure a TOTP authenticator app (Google Authenticator, Authy, 1Password). TOTP is required on every login — no bypass option available.
5 failed login attempts triggers lockout. Unlocking requires email verification plus supervisor notification for claims examiner accounts.
Minimum 12 characters, complexity requirements, bcrypt hashing with cost factor 12, breach detection via HaveIBeenPwned API on registration.
30-minute idle timeout. Session tokens in HttpOnly secure cookies. CSRF protection on all state-changing endpoints.