MedIQ
Security & trust

Built for HIPAA. Designed for auditors.

MedIQ was architected as a multi-tenant healthcare platform from line one. Every layer — database, application, AI — enforces tenant isolation and the principle of least privilege.

HIPAA detailRequest BAA
Tenant isolation by default

Every row carries a tenant_id and Postgres Row-Level Security enforces who can see what. There is no application-only filter that an SQL injection could bypass.

Encryption at rest & in transit

TLS 1.2+ everywhere. Database storage encrypted at rest. Per-tenant LLM API keys encrypted with AES-256-GCM using per-record IVs.

Role-based access

Super admin, tenant admin, biller, provider, front desk, and auditor roles. Sensitive surfaces (secrets, billing, role changes) gated server-side.

Audit log of every change

Status transitions, role grants, secret rotations, scrubber decisions — all written to an append-only audit log keyed by tenant.

No PHI in AI prompts

We de-identify before any model call. Prompts log only input hash, model version, and decision — never patient identifiers.

BAA + SOC 2 (in progress)

Signed Business Associate Agreement available before any PHI flows. SOC 2 Type II audit in progress; report available under NDA.

Backups & DR

Point-in-time recovery up to 7 days on Growth, 30 days on Enterprise. Tested restore drills quarterly.

Infrastructure

Hosted on enterprise cloud providers with SOC 2 / HIPAA-eligible services. Dedicated VPC option on Enterprise.

Responsible disclosure

We publish a security.txt and operate a coordinated-disclosure program. Email security@cybergenai.com.

Engineering posture

Defense in depth, applied to billing data.

Every change is code-reviewed, every dependency is automatically scanned, and every deploy is reproducible. Migrations are versioned and applied with idempotent SQL.

  • Mandatory MFA for all staff
  • SSO (SAML/OIDC) on Enterprise
  • Secret scanning on every commit
  • SAST + dependency scanning in CI
  • Production access reviewed quarterly
  • Vendor reviews tracked in writing
  • Penetration test annually
  • Incident response runbook + on-call

Need a vendor security review?

We can share our security overview, sub-processor list, and a draft BAA under NDA. Most reviews close in under a week.

Request security packHIPAA detail