Security & Compliance

Built like the systems your auditors trust.

All Health HR AI is engineered around HIPAA, SOC 2, and the practical reality of a 72-hour state survey. Every PHI access, every credential change, every exception - logged, signed, and ready to export.

HIPAA-CompliantSOC 2 ReadyAES-256GCP US-onlyBAA included

HIPAA-Compliant

Every workload runs under a signed BAA. PHI is encrypted, access-controlled, and audited end-to-end. Workforce training, incident response, and breach notification follow §164.530 administrative safeguards.

SOC 2 Ready

Controls mapped to the AICPA Trust Services Criteria - Security, Availability, Confidentiality, Processing Integrity, and Privacy. SOC 2 Type II report available under NDA.

AES-256 Encryption

Data at rest encrypted with AES-256 (Google Cloud KMS-managed keys). Data in transit secured with TLS 1.3. Application-layer field encryption for PII and credential numbers.

Compliance Checklist

The controls your auditor will ask for.

Mapped to HIPAA Security Rule §164.308–§164.312 and SOC 2 Trust Services Criteria. Full evidence available under NDA.

Administrative

Signed Business Associate Agreement (BAA)
Background-checked workforce, annual HIPAA training
Documented incident response & breach notification plan
Quarterly access reviews; least-privilege by default

Technical

AES-256 encryption at rest, TLS 1.3 in transit
Mandatory 2FA for all customer & employee accounts
SSO (SAML 2.0) and SCIM provisioning on Scale plan and above
Row-level security isolating every tenant's PHI
Vulnerability scans weekly; pentest annually

Physical & Operational

Hosted on Google Cloud Platform (US regions, ISO 27001)
99.9% uptime SLA with regional failover
Daily encrypted backups, 35-day point-in-time recovery
Offboarding revokes access within 15 minutes

Audit Log

An immutable record of every action.

The audit log is the heart of perpetual readiness. It's append-only, tenant-scoped, and structured for survey export from day one.

audit_log · sample eventstreaming

actor_idusr_8f2…c1aAuthenticated user

actor_rolecompliance_officerRBAC role at time of action

actioncredential.verifiedVersioned action verb

resourcecredential:rn-784221Tenant-scoped resource ID

ip_address203.0.113.42SHA-256 hashed in exports

tenant_idagency_42b…Multi-tenant isolation key

ts2026-04-22T14:08:11ZISO-8601 UTC, monotonic

diff{ status: pending → verified }Before/after delta

Streamed to your BigQuery dataset within 60 seconds.

Every action, captured

Logins, document uploads, verifications, escalations, role changes, and exports - all immutable and tenant-scoped.

Streamed to BigQuery

Logs replicate to your own BigQuery dataset for long-term retention, custom queries, and SIEM ingest.

Tamper-evident

Append-only log with daily SHA-256 chain hashes. Any modification breaks the chain and triggers an alert.

Survey export in one click

Generate a signed PDF audit trail filtered by employee, date range, or finding - ready to hand to a surveyor.

99.9% uptime SLA

AES-256 at rest

Mandatory 2FA

BAA included

BigQuery export

Google Cloud US

Want our SOC 2 report or BAA template?

Book a demo and we'll send the security packet ahead of the call.

Book a demo Email security team