VitaAI is built for healthcare — where data integrity, patient privacy, and regulatory compliance aren't optional. Review our security controls, certifications, and compliance documentation.
Infrastructure certifications & compliance — powered by Microsoft Azure
Certification details available at microsoft.com/trust-center
VitaAI implements defense-in-depth across infrastructure, application, and data layers — ensuring PHI is protected regardless of where it resides or transits.
All stored data encrypted with AES-256. Azure Storage Service Encryption applied by default. Customer-managed key (CMK) support via Azure Key Vault available for enterprise accounts.
All data in transit protected with TLS 1.3. Strict HTTPS enforcement with HSTS. Mutual TLS (mTLS) available for API integrations with EHR systems and internal service mesh.
Comprehensive, tamper-evident audit logs for all PHI access events. Logs retained for seven years minimum. Exportable to SIEM systems (Sentinel, Splunk). Real-time alerting on anomalous access patterns.
Least-privilege RBAC with Azure Active Directory integration. Clinician, admin, and read-only roles with granular resource scoping. Just-in-time privileged access for administrative operations.
Sensitive PHI fields (SSN, DOB, diagnosis codes) encrypted individually at the application layer — separate from disk-level encryption — ensuring data is protected even within the database engine.
Multi-factor authentication enforced for all user accounts. SAML 2.0 / OIDC single sign-on for seamless, secure integration with your organization's existing identity provider (Okta, Azure AD, Ping).
Deployed within Azure Virtual Network with private endpoints. No public internet exposure of database or internal services. Azure DDoS Protection Standard enabled. Web Application Firewall (WAF) in front of all endpoints.
Continuous dependency scanning with automated CVE alerting. Penetration testing conducted annually by independent third party. Responsible disclosure program in place for coordinated vulnerability reporting.
Geo-redundant data replication across Azure paired regions. Recovery Point Objective (RPO) of 1 hour. Recovery Time Objective (RTO) of 4 hours. Automated failover tested quarterly.
VitaAI operates as a Business Associate under HIPAA when processing Protected Health Information on behalf of covered entities. We execute a Business Associate Agreement (BAA) with every customer that handles PHI.
Our security posture is validated through annual third-party HIPAA risk assessments aligned with the NIST Cybersecurity Framework and OCR guidance.
VitaAI integrates directly with Epic and other major EHR platforms via industry-standard APIs — no custom interfaces, no shadow copies of data.
VitaAI connects to Epic via the HL7 FHIR R4 API, enabling real-time, bidirectional clinical data exchange without bulk data exports or custom ETL pipelines. Patient data is queried on-demand, minimizing PHI at rest in VitaAI's systems. OAuth 2.0 SMART on FHIR authorization ensures patient-level consent is enforced at the Epic layer.
Download our security documentation to accelerate your organization's vendor assessment and procurement process.
Detailed mapping of VitaAI's administrative, physical, and technical safeguards to the HIPAA Security Rule.
⇓ Download PDFExecutive summary of VitaAI's security program, infrastructure architecture, and compliance posture for procurement teams.
⇓ Download PDFStandard BAA template for covered entities. Pre-signed by VitaAI. Send to legal for review or request a countersigned copy.
⇓ Download DOCXVendor questionnaire responses aligned to NIST CSF, CIS Controls v8, and common hospital procurement frameworks.
⇓ Download PDFReference architecture diagrams showing network topology, data flows, integration points, and security boundaries for on-premise and cloud deployments.
⇓ Download PDFDocuments under NDA or not listed above? Contact steven@altnetix.com
Our security team can provide a signed BAA, answer procurement questions, or schedule a technical deep-dive for your IT and compliance teams.