Trust center

Security by default — not a checklist.

PracticeIQ was built to handle PHI from day one. This page has everything your IT, compliance, and legal teams need — no form-gating, no waiting.

Live

HIPAA-aligned

§164.308/310/312 controls applied

Live

BAA standard

Signed before any PHI is processed

Live

PCI-DSS SAQ-A

Stripe-outsourced — no card data ever touches our servers

Live

CSA STAR Level 1

Self-assessed Cloud Security Alliance registry

Live

AWS Well-Architected

5-pillar assessment run on infra

Live

DMARC enforced

practiceiq.tech aligned DKIM + SPF

In progress

SOC 2 Type 1

35 controls tracked · ~70% ready · Q3 2026

Planned

SOC 2 Type 2

Targeted Q4 2026

Security policy

Full admin/physical/technical safeguards, breach response, staff training.

Read policy →

BAA — sample

HHS-model BAA template we execute before any PHI. Reviewable offline.

View sample →

Subprocessor list

Every vendor that touches PHI, with DPA + BAA status and data classification.

View list →

Pen test — summary

Independent third-party penetration test. Latest report available under NDA.

Request under NDA →

SIG Lite questionnaire

Pre-filled Standardized Information Gathering. Saves IT review 2 weeks.

Request SIG →

Data processing addendum

DPA (GDPR/CCPA-ready). Execute in parallel with MSA for EU-adjacent customers.

Request DPA →

The posture, in one glance

Hosting

Vercel + Supabase, US-East + US-West regions

Data at rest

AES-256 (Supabase TDE) + SSE-KMS for cold archives

Data in transit

TLS 1.3 everywhere, HSTS enforced

Vendor credentials

AES-256-GCM envelope encryption for PMS credentials (per-secret DEK wrapped by KEK, tamper-detecting auth tags)

Tenant isolation

Row-level security on every PHI table; DSO parent-child via organizations table; RLS policies audited

Access control

MFA required; hardware-key for internal team; JWT-scoped sessions

Audit

Every PHI access written to immutable audit_log, 6-year retention. 35 SOC 2 controls auto-collect daily evidence.

Backup

Supabase PITR (35-day window) + nightly off-region snapshots

Incident response

SEV-0/1/2/3 runbook; 15-min paging; customer notification within 60m

Breach notification

HIPAA § 164.410 compliant, 60-day max, same-day for SEV-0

Pen testing

Annual third-party + ongoing Vercel WAF + dependabot

Employee training

Annual HIPAA awareness + phishing drills, logged

Vendor management

BAA/DPA on file for every subprocessor before go-live. 10+ subprocessors catalogued.

Webhook integrity

Idempotency table rejects replays; signature verification on every inbound webhook

Languages supported

English, Spanish, Portuguese, Chinese, Vietnamese, Korean, Arabic

Large group / DSO?

We'll run your whole IT security review ourselves.

Send us your vendor questionnaire. We turn it around in 2 business days — or pick the whole SIG package below.

Contact security