Trust

Trust & Security at Accurecord

Security and compliance are foundational to how we handle Protected Health Information — not bolted on.

Accurecord handles Protected Health Information (PHI) for medical coding. Security and compliance are foundational, not bolted on.

Compliance status

Framework Status
HIPAA Compliant — BAA available before any PHI is processed
SOC 2 Type II In progress — observation window underway (target Q4 2026)
HITRUST On roadmap

How we protect PHI

  • Encrypted at rest — AES-256-GCM on PHI in our owned tables; secrets in Azure Key Vault.
  • Encrypted in transit — TLS 1.2+ everywhere; HSTS, strict CSP, and security headers on every response.
  • Minimized before AI — identifiers are scrubbed before any LLM call; our LLM subprocessor is configured for zero data retention.
  • BAA-gated — PHI features are disabled until a Business Associate Agreement is signed.
  • Fully audited — every PHI access is written to a HIPAA Accounting-of-Disclosures ledger (45 CFR §164.528) and is customer-exportable (CSV / FHIR AuditEvent).
  • Access controlled — per-organization tenancy, hashed API keys with tiered access, enterprise SSO (OIDC, SAML), SCIM provisioning, and automatic blocking of credential-stuffing IPs.

Subprocessors

All subprocessors and their level of PHI access are listed below. See our full subprocessor list for data categories, processing regions, and each vendor's trust documentation.

Subprocessor Purpose PHI access
Microsoft Azure Hosting (Container Apps, PostgreSQL, Key Vault) Yes — BAA signed
OpenAI LLM coding inference on PHI-scrubbed input Limited — BAA signed, zero-retention
Cloudflare CDN, DNS, DDoS protection, edge WAF No — transit metadata only
Stripe Billing No
Twilio Verify SMS one-time passcodes (account verification) No
Google / Microsoft OAuth Federated sign-in No

Subscribe for subprocessor-change notifications: [email protected].

Documents

Report a vulnerability

Email [email protected]. We acknowledge reports within 2 business days and do not pursue good-faith researchers who follow coordinated disclosure.