Security
Enterprise-grade security protecting your most sensitive data • HIPAA Compliant • SOC 2 Type II in progress
Security Overview
ClaimRight is built on a foundation of enterprise-grade security controls designed to protect Protected Health Information (PHI) and meet the strict requirements of healthcare compliance. We implement defense-in-depth security architecture, combining multiple layers of protection from infrastructure to application level. Our security program is designed around HIPAA Security Rule requirements, NIST Cybersecurity Framework, and industry best practices for healthcare technology. Every aspect of our platform — from data encryption to employee access controls — is engineered to safeguard your data.
HIPAA Compliance
As a Business Associate under HIPAA, ClaimRight maintains comprehensive compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. We sign Business Associate Agreements (BAAs) with all healthcare customers before processing any PHI. Our compliance program includes: (a) Administrative Safeguards: designated Privacy and Security Officers, workforce training programs, risk analysis and management procedures, incident response protocols, and business associate management; (b) Physical Safeguards: controlled facility access, workstation security policies, device and media controls, and secure disposal procedures; (c) Technical Safeguards: unique user identification, automatic logoff, encryption and decryption, audit controls and integrity controls, and transmission security. We conduct annual HIPAA Security Rule assessments and maintain detailed documentation of all safeguards.
Data Encryption
All PHI is encrypted using industry-leading encryption standards: (a) Encryption in Transit: TLS 1.3 or higher for all data transmission, Perfect Forward Secrecy (PFS) enabled, strong cipher suites only (no weak or deprecated algorithms), certificate pinning for API communications, and encrypted voice streams using SRTP (Secure Real-time Transport Protocol); (b) Encryption at Rest: AES-256 encryption for all stored PHI, encrypted database volumes, encrypted file storage systems, encrypted backups, and hardware security module (HSM) for key management; (c) Key Management: automatic key rotation every 90 days, separation of key management from data access, audit logging of all key operations, and secure key destruction procedures. Encryption keys are never stored with encrypted data and are managed separately with strict access controls.
Infrastructure Security
ClaimRight's infrastructure is hosted in SOC 2 Type II certified data centers with comprehensive physical and environmental controls: (a) Hosting Environment: HIPAA-eligible cloud infrastructure (AWS/GCP), multi-region redundancy for disaster recovery, isolated production environments, and dedicated Virtual Private Cloud (VPC) networks; (b) Network Security: Web Application Firewall (WAF) with DDoS protection, intrusion detection and prevention systems (IDS/IPS), network segmentation and micro-segmentation, private subnets for database and application tiers, and VPN-only access for internal systems; (c) Infrastructure Monitoring: 24/7 security operations center (SOC) monitoring, automated threat detection and response, real-time log aggregation and analysis, infrastructure vulnerability scanning, and security information and event management (SIEM). Our infrastructure undergoes quarterly penetration testing by independent third-party security firms.
Access Controls
We implement strict access controls following the principle of least privilege: (a) Authentication: multi-factor authentication (MFA) required for all user accounts, single sign-on (SSO) support via SAML 2.0, password complexity requirements enforced, account lockout after failed login attempts, and session timeout after 30 minutes of inactivity; (b) Authorization: role-based access control (RBAC) with granular permissions, separation of duties for sensitive operations, customer data isolation (tenancy controls), and audit trail of all access attempts; (c) Employee Access: just-in-time (JIT) access for production environments, all access logged and monitored, quarterly access reviews and recertification, immediate revocation upon termination, and background checks for employees with PHI access. Production data access requires documented business justification and Security Officer approval.
Application Security
Our application development follows secure coding practices and security-by-design principles: (a) Secure Development: security requirements integrated into development lifecycle, static application security testing (SAST) in CI/CD pipeline, dynamic application security testing (DAST) before production deployment, dependency scanning for vulnerable libraries, and code review required for all changes; (b) Input Validation: parameterized queries to prevent SQL injection, input sanitization to prevent XSS attacks, CSRF protection on all state-changing operations, rate limiting and request throttling, and content security policy (CSP) headers; (c) API Security: OAuth 2.0 with JWT tokens, API rate limiting per customer, request/response validation, and comprehensive API logging. We maintain a private bug bounty program for responsible disclosure of security vulnerabilities.
Audit Logging and Monitoring
We maintain comprehensive audit logs for security, compliance, and operational purposes: (a) Audit Log Coverage: all PHI access and modifications, authentication and authorization events, administrative actions, API calls and transactions, configuration changes, and security events and alerts; (b) Log Retention: audit logs retained for seven (7) years to meet HIPAA requirements, encrypted at rest, stored in tamper-evident format (write-once-read-many), and regular integrity verification; (c) Security Monitoring: 24/7 automated monitoring and alerting, anomaly detection using machine learning, correlation of events across systems, real-time alerts for suspicious activity, and quarterly log reviews by Security team. All logs are centrally aggregated in our SIEM system for rapid investigation and forensic analysis.
Incident Response
ClaimRight maintains a documented Incident Response Plan aligned with NIST SP 800-61: (a) Incident Response Team: on-call security team available 24/7/365, defined escalation procedures, coordination with external forensics if needed, and regular incident response drills; (b) Response Process: detection and analysis, containment and eradication, recovery and restoration, and post-incident review and lessons learned; (c) Breach Notification: HIPAA-compliant breach notification procedures, notification to affected customers within 24 hours of confirmed breach, assistance with patient notification if required, and coordination with law enforcement when appropriate. We test our incident response procedures quarterly through tabletop exercises and simulated security events.
Business Continuity and Disaster Recovery
We maintain comprehensive business continuity and disaster recovery capabilities: (a) Backup Strategy: automated daily backups of all customer data, backups encrypted and stored in geographically separate regions, backup restoration tested monthly, and 30-day point-in-time recovery capability; (b) High Availability: multi-region active-active architecture, automatic failover for critical services, load balancing across availability zones, and redundant database instances with automatic replication; (c) Recovery Objectives: Recovery Time Objective (RTO): 4 hours for production systems, Recovery Point Objective (RPO): 1 hour maximum data loss, and 99.9% uptime SLA for Enterprise customers. Our disaster recovery plan is tested semi-annually through full failover exercises.
Employee Security Training
All employees undergo comprehensive security training: (a) Onboarding Training: HIPAA Privacy and Security Rule training, secure coding practices for engineers, social engineering awareness, incident reporting procedures, and acceptable use policies; (b) Ongoing Training: annual HIPAA refresher training, quarterly security awareness updates, phishing simulation exercises, and role-specific security training; (c) Background Checks: criminal background checks for all employees, enhanced screening for employees with PHI access, and continuous monitoring for employees in sensitive roles. All employees sign confidentiality agreements and acceptable use policies covering data security obligations.
Compliance and Certifications
ClaimRight maintains industry-recognized security certifications and compliance: (a) Current Compliance: HIPAA Business Associate, HITECH Act compliant, state-specific privacy laws (CCPA, CPRA, etc.); (b) In Progress: SOC 2 Type II certification (expected Q2 2026), ISO 27001 certification (expected Q3 2026); (c) Regular Assessments: annual third-party security audits, quarterly vulnerability assessments, annual penetration testing, and continuous compliance monitoring. Upon request, we provide customers with our most recent SOC 2 report (once available), attestation of HIPAA compliance, and security assessment summaries.
Contact Security Team
For security-related inquiries, vulnerability reports, or compliance questions, please contact: Vantar Group LLC, Security Team, 1 MetroTech Center, Brooklyn, NY 11201, Email: security@claimright.app, Phone: (888) 555-0199. For responsible disclosure of security vulnerabilities, please email security@claimright.app with "SECURITY" in the subject line. We respond to all security reports within 24 hours and provide updates throughout the investigation and remediation process.