Security and BAA
Built for hospital compliance teams. BAA available to all clients. Data isolated at the row level, not just at the application level. Autonomous agent write actions gated by approval, with a full audit trail.
Security by Default
Security isn't a feature tier. Every client gets the same stack.
HIPAA BAA Available
We execute a Business Associate Agreement with any client that requires one. BAA is standard, not an add-on. Email info@denialsdx.com to request one before data ingestion begins.
AES-256 Encryption at Rest
All denial records, KPI snapshots, questionnaire responses, agent session state, and platform data are encrypted at rest using AES-256. Managed by Supabase on AWS-hosted infrastructure.
TLS 1.3 in Transit
All data in transit, including intake uploads, API calls, agent tool calls, and browser sessions, is encrypted using TLS 1.3. No unencrypted channels.
Row-Level Security (RLS)
Multi-tenant isolation is enforced at the Postgres row level, not the application level. Your organization's data cannot be accessed by another tenant's session, by design, not convention.
Scoped Agent Tool Access
Autonomous agents run against a scoped tool allowlist per role. Copilot write actions require explicit approval. Every agent action is logged with the session ID and the tool call, so the audit trail is complete.
Cloudflare Edge Protection
The platform is delivered via Cloudflare with network-level DDoS protection, WAF, and bot mitigation. No origin IP exposure.
SOC 2 Type II Infrastructure
Both Supabase and Cloudflare maintain SOC 2 Type II certification. Infrastructure-level compliance documentation is available on request for your legal and compliance review.
Need a BAA Before We Start?
We'll send it the same day. No negotiation cycles. Standard HIPAA-compliant terms.
Request BAA →Data Isolation
Every client organization has a unique organization_id. All database queries enforce this constraint at the Postgres row level using Supabase RLS policies. Even if an application bug were to occur, the database layer would reject cross-tenant data access.
Authentication
User authentication is managed via Supabase Auth (built on GoTrue). Sessions use JWTs with custom claims injected at login that carry the user's role and organization ID. Tokens expire and rotate. Role-based access controls prevent client users from accessing admin functions or other organizations' data.
Agent Access Control
Autonomous agents operate inside a sandboxed runtime with a per-agent tool allowlist. Write actions proposed by the Copilot or other agents require an explicit approval step before any state change is committed. Every tool call is logged with the agent session ID, the tool, and the inputs. You can review the audit trail at any time.
Data Retention
Client data is retained for the duration of the engagement plus 12 months. At engagement close, clients may request full data deletion. We do not retain denial records or PHI beyond what is operationally necessary.
No Third-Party Data Sharing
We do not sell data. We do not share denial records, claim data, or PHI with third parties. Data flows only to:
- Supabase, database and auth hosting (under data processing terms)
- Cloudflare, delivery and edge security (under data processing terms)
- Anthropic, to power Copilot and agent reasoning (zero-retention terms, no training on client data)
- Resend, transactional email (user-facing notifications only; no claim data transmitted)
Compliance Documentation
Security questions or to request compliance documentation: info@denialsdx.com