Security & HIPAA
Workers' compensation claims contain medical records and personal health information. AdjudiCLAIMS is built with HIPAA-grade security from the ground up.
Built for PHI from Day One
Workers' compensation claims are not automatically subject to HIPAA, but they contain medical records that deserve the same level of protection. AdjudiCLAIMS is designed to satisfy HIPAA's technical safeguard requirements.
Data Minimization
AdjudiCLAIMS collects only what is necessary to process claims. Medical content is processed for extraction but never stored in logs. Document IDs are logged, not content.
PHI Never Logged
The audit log records user actions and document IDs only. No PHI — no diagnoses, no medical histories, no personal health information — appears in any log entry.
Role-Based Access
Examiners access only claims assigned to them. Supervisors see their team. Admins see the organization. Cross-tenant access is architecturally impossible.
BAA Ready
Business Associate Agreements are available for enterprise customers. Our GCP infrastructure (Cloud Run, Cloud SQL, Secret Manager) is covered under Google's BAA.
Right to Deletion
DSAR export and right-to-deletion workflows are built in. Examiners can export their data. Admins can execute deletion requests per CCPA/CPRA.
Retention Policy
7-year retention for claims-related data per California LC § 3762. Automatic expiry enforcement. Data is not kept longer than required.
GCP — Zero-Trust Architecture
Secrets Management
All credentials in GCP Secret Manager. No API keys in environment variables, code, or configuration files. Secrets are accessed at runtime only, per-service.
Private Network
Cloud SQL on private IP — no public database endpoint. Cloud Run services communicate over VPC only. No direct internet access to the database tier.
Least Privilege IAM
Each service has its own dedicated service account with minimum required permissions. No shared service accounts. No Compute Engine default SA used.
Immutable Infrastructure
Cloud Run deploys are immutable container images. No SSH access to production. All changes go through Cloud Build CI/CD with test gates.
Continuous Monitoring
Cloud Logging + Monitoring on every HTTP request and AI call. Anomaly detection for unusual access patterns. Automated alerts for security events.
Security Headers
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy enforced on all responses. OWASP Top 10 mitigations applied by default.
SOC 2 Type II — In Progress
AdjudiCLAIMS is built to the SOC 2 Type II standard from day one. Our controls span CC6 (Logical Access), CC7 (System Operations), and CC8 (Change Management).
Multi-Factor Authentication — Required
TOTP (Time-Based OTP)
All users must configure a TOTP authenticator app (Google Authenticator, Authy, 1Password). TOTP is required on every login — no bypass option.
Account Lockout
5 failed login attempts triggers a lockout. Unlocking requires email verification plus supervisor notification for claims examiner accounts.
Password Policy
Minimum 12 characters, complexity requirements, bcrypt hashing with cost factor 12, breach detection via HaveIBeenPwned API on registration.
Session Security
30-minute idle timeout. Session tokens in HttpOnly secure cookies. CSRF protection on all state-changing endpoints.
Request our security documentation
Security questionnaires, penetration test reports, and SOC 2 documentation available under NDA.
Contact Security Team