VitaAI is built for healthcare — where data integrity, patient privacy, and regulatory compliance aren't optional. Review our security controls, certifications, and compliance documentation.
Infrastructure certifications & compliance — powered by Microsoft Azure
Certification details available at microsoft.com/trust-center
VitaAI implements defense-in-depth across infrastructure, application, and data layers — ensuring PHI is protected regardless of where it resides or transits.
All stored data encrypted with AES-256. Azure Storage Service Encryption applied by default. Customer-managed key (CMK) support via Azure Key Vault available for enterprise accounts.
All data in transit protected with TLS 1.3. Strict HTTPS enforcement with HSTS. Mutual TLS (mTLS) available for API integrations with EHR systems and internal service mesh.
Comprehensive, tamper-evident audit logs for all PHI access events. Logs retained for seven years minimum. Exportable to SIEM systems (Sentinel, Splunk). Real-time alerting on anomalous access patterns.
Least-privilege RBAC with Azure Active Directory integration. Clinician, admin, and read-only roles with granular resource scoping. Just-in-time privileged access for administrative operations.
Sensitive PHI fields (SSN, DOB, diagnosis codes) encrypted individually at the application layer — separate from disk-level encryption — ensuring data is protected even within the database engine.
Multi-factor authentication enforced for all user accounts. SAML 2.0 / OIDC single sign-on for seamless, secure integration with your organization's existing identity provider (Okta, Azure AD, Ping).
Deployed within Azure Virtual Network with private endpoints. No public internet exposure of database or internal services. Azure DDoS Protection Standard enabled. Web Application Firewall (WAF) in front of all endpoints.
Continuous dependency scanning with automated CVE alerting. Penetration testing conducted annually by independent third party. Responsible disclosure program in place for coordinated vulnerability reporting.
Geo-redundant data replication across Azure paired regions. Recovery Point Objective (RPO) of 1 hour. Recovery Time Objective (RTO) of 4 hours. Automated failover tested quarterly.
VitaAI operates as a Business Associate under HIPAA when processing Protected Health Information on behalf of covered entities. We execute a Business Associate Agreement (BAA) with every customer that handles PHI.
Our security posture is validated through annual third-party HIPAA risk assessments aligned with the NIST Cybersecurity Framework and OCR guidance.
VitaAI integrates directly with Epic and other major EHR platforms via industry-standard APIs — no custom interfaces, no shadow copies of data.
VitaAI connects to Epic via the HL7 FHIR R4 API, enabling real-time, bidirectional clinical data exchange without bulk data exports or custom ETL pipelines. Patient data is queried on-demand, minimizing PHI at rest in VitaAI's systems. OAuth 2.0 SMART on FHIR authorization ensures patient-level consent is enforced at the Epic layer.
Download our security documentation to accelerate your organization's vendor assessment and procurement process. All compliance documents are available in both PDF and Word formats.
27 documents available
Detailed mapping of VitaAI's administrative, physical, and technical safeguards to the HIPAA Security Rule.
Executive summary of VitaAI's security program, infrastructure architecture, and compliance posture for procurement teams.
Standard BAA template for covered entities. Pre-signed by VitaAI. Send to legal for review or request a countersigned copy.
Vendor questionnaire responses aligned to NIST CSF, CIS Controls v8, and common hospital procurement frameworks.
Reference architecture diagrams showing network topology, data flows, integration points, and security boundaries.
The signed Business Associate Agreement between Microsoft and Azure customers confirming HIPAA-compliant infrastructure obligations.
Formal CC9 risk register mapping 12 identified risks to SOC 2 Trust Services Criteria with current controls, residual risk ratings, and mitigation owners.
Describes how VitaAI collects, uses, discloses, and protects personal information and PHI. Covers patient rights under HIPAA.
Governs authorized use of the VitaAI platform, user responsibilities, IP rights, liability limitations, and prohibited activities.
Standard enterprise healthcare SaaS agreement governing subscriptions, data protection obligations, SLAs, and IP rights.
Company values, workplace standards, HIPAA obligations, anti-harassment policy, remote work guidelines, and professional conduct standards.
Workforce confidentiality agreement signed by all employees and contractors. Covers PHI handling, trade secrets, and post-separation obligations.
Formal role definitions, responsibilities, and qualifications for all key positions: CEO, Lead Engineer, Security Officer, DevOps, and Customer Success.
Progressive discipline policy for policy violations and HIPAA infractions. Defines sanctions from verbal warning through immediate termination.
Formal designation of the HIPAA Security Officer and Privacy Officer as required by 45 CFR §164.308(a)(2) and §164.530(a).
Defines authorized use of VitaAI systems, PHI handling requirements, password standards, device controls, and prohibited activities for all workforce members.
Cryptographic standards for data at rest (AES-256-GCM), in transit (TLS 1.3), key management via Azure Key Vault, and cipher suite configuration.
Process for requesting, reviewing, approving, and deploying changes to production. Covers standard, normal, and emergency change categories.
Security activities at each SDLC phase: threat modeling, secure coding standards, OWASP code review checklist, SAST, DAST, and annual penetration testing.
HIPAA-aligned retention schedule for PHI (6 years), audit logs, contracts, and financial records. Covers legal holds and automated enforcement.
Secure destruction procedures for PHI on electronic media, cloud storage, and physical documents. Covers certificate of destruction requirements.
Enterprise risk framework aligned to NIST RMF. Covers risk identification, scoring (Likelihood × Impact), treatment selection, and annual review cycle.
Active register of 12 identified risks — credential theft, ransomware, injection, insider threat, vendor breach — with scores, controls, and remediation status.
Annual fraud risk review covering financial operations, healthcare billing, and technology domains with controls evaluation and anti-fraud program.
Tier-based evaluation of critical vendors (Microsoft Azure, DoseSpot, Availity, Resend). Covers BAA status, certifications, and onboarding requirements.
Audit logging requirements for PHI access, authentication, API calls, and infrastructure events. Covers 6-year immutable retention and real-time alerting rules.
Azure App Service security hardening: TLS configuration, cipher suites (Qualys A+), HSTS, security response headers, network isolation, and patch management.
Documents under NDA or not listed above? Contact steven@altnetix.com
Our security team can provide a signed BAA, answer procurement questions, or schedule a technical deep-dive for your IT and compliance teams.