Who We Are

Auth Hero is a HIPAA-aligned, case-centric collaboration platform for California workers' compensation. Clinics, employers, attorneys, insurers, and patients work from a single shared case file with role-based access, audit logging, and structured document management. We operate exclusively in the United States and currently serve California organizations.

Security at a Glance

Encryption in transit: TLS 1.3+ for all browser and API connections. Strong ciphers are mandated to protect data from interception and downgrade attacks.
Encryption at rest: AES-256 on all platform data at rest using cloud-native encryption services with keys managed via cloud KMS.
Access control: Role-based, least-privilege access. Every invitation is explicit and time-bound. Admin actions and data access are logged.
Audit logging: Immutable logs on access, downloads, permission changes, and exports with user, timestamp, and IP/device metadata.
Environment isolation: Segregated dev/test/prod environments. No production data in lower environments.
Dependency hygiene: Continuous vulnerability scanning on builds with rapid patching for high-severity issues.
Backups and recovery: Daily encrypted backups with periodic restore testing and documented recovery procedures.

HIPAA Alignment

Auth Hero is designed to meet HIPAA Security Rule safeguards (administrative, physical, and technical) and to maintain audit-grade access trails, including: unique user IDs, access control, integrity controls, transmission security, and comprehensive activity logs (45 CFR §164.308, §164.310, §164.312).

Business Associate Agreements (BAAs) are executed with covered entities before PHI is processed.
Technical and organizational controls are mapped to HIPAA Security Rule safeguards.
Audit logs are exportable for investigations, audits, and legal events.
Encryption at rest (AES-256) and in transit (TLS 1.3+) for all PHI.

California Privacy (CCPA/CPRA)

Because we operate in California, we respect California privacy requirements under CCPA as amended by CPRA.

No sale or sharing of personal information for cross-context behavioral advertising.
Privacy rights (know/access, correct, delete, limit) available via privacy@authhero.com.
Global Privacy Control (GPC) browser signal is honored.
PHI governed by HIPAA is handled per the clinic's Notice of Privacy Practices. Non-PHI personal information is subject to CCPA/CPRA rights.

Cloud Infrastructure

Provider: Microsoft Azure (US regions only).
Encryption services: Azure Storage and managed disk encryption at rest with AES-256; keys managed via Azure Key Vault.
Transport security: TLS 1.3+ enforced on all endpoints.
Network and isolation: Separate VNets and resource groups per environment; least-privilege service identities.

Product Security Features

Invite-only access: Stakeholders join a case via expiring invites. Permissions are granular (view, upload, download, comment).
Case-centric repository: Documents are grouped by case, not by user, with status metadata and version history.
Audit exports: On-demand exports of access trails and case activity in PDF or CSV for audits, legal events, or compliance reviews.
Mobile app security: The patient companion app uses the same authentication, encryption, and access control standards as the web platform. No data is stored on-device beyond session tokens.

Vulnerability Management and Testing

Secure SDLC: Code reviews, dependency scanning, and CI/CD checks on every merge.
Scanning: Automated SCA and container/image scanning; infrastructure misconfiguration scans.
Penetration testing: Third-party penetration testing with summary findings available under NDA.

Incident Response

On-call coverage: Defined escalation to engineering leadership around the clock.
Playbooks: Triage, containment, forensic logging, notification, and post-mortems.
Notification: If an incident affecting user data occurs, we notify impacted customers without undue delay consistent with applicable law (including HIPAA breach notification requirements and California data breach statutes).

Data Retention and Deletion

We retain data as needed to provide the Services, meet HIPAA's 6-year minimum (or longer if required by law or a customer's retention policy), and fulfill legal obligations.

Customer data is deleted upon request or at the end of a subscription agreement, subject to legal holds and backup cycles. Upon termination, customers have a 30-day data export window before deletion begins.

Sub-processors

We bind all sub-processors by contract to implement appropriate safeguards and to use data only to perform services for Auth Hero.

Microsoft Azure: Hosting, storage, networking, key management (US regions).

A current list of all sub-processors is available upon request. Customers are notified before new sub-processors are added.

Compliance Roadmap

SOC 2 Type I/II: Evaluation in progress. Timeline to be published.
HIPAA attestation package: Formal risk analysis documentation and security training attestations available to customers.
Self-serve privacy portal: In-app CCPA/CPRA request flow with documented response SLAs.

Contact

Questions, security reports, or BAA requests: security@authhero.com

We welcome good-faith security reports. Please avoid sharing PHI in initial emails.

Trust Center v2. Last updated April 10, 2026.

Who We Are

Security at a Glance

Encryption in transit: TLS 1.3+ for all browser and API connections. Strong ciphers are mandated to protect data from interception and downgrade attacks.
Encryption at rest: AES-256 on all platform data at rest using cloud-native encryption services with keys managed via cloud KMS.
Access control: Role-based, least-privilege access. Every invitation is explicit and time-bound. Admin actions and data access are logged.
Audit logging: Immutable logs on access, downloads, permission changes, and exports with user, timestamp, and IP/device metadata.
Environment isolation: Segregated dev/test/prod environments. No production data in lower environments.
Dependency hygiene: Continuous vulnerability scanning on builds with rapid patching for high-severity issues.
Backups and recovery: Daily encrypted backups with periodic restore testing and documented recovery procedures.

HIPAA Alignment

Business Associate Agreements (BAAs) are executed with covered entities before PHI is processed.
Technical and organizational controls are mapped to HIPAA Security Rule safeguards.
Audit logs are exportable for investigations, audits, and legal events.
Encryption at rest (AES-256) and in transit (TLS 1.3+) for all PHI.

California Privacy (CCPA/CPRA)

Because we operate in California, we respect California privacy requirements under CCPA as amended by CPRA.

No sale or sharing of personal information for cross-context behavioral advertising.
Privacy rights (know/access, correct, delete, limit) available via privacy@authhero.com.
Global Privacy Control (GPC) browser signal is honored.
PHI governed by HIPAA is handled per the clinic's Notice of Privacy Practices. Non-PHI personal information is subject to CCPA/CPRA rights.

Cloud Infrastructure

Provider: Microsoft Azure (US regions only).
Encryption services: Azure Storage and managed disk encryption at rest with AES-256; keys managed via Azure Key Vault.
Transport security: TLS 1.3+ enforced on all endpoints.
Network and isolation: Separate VNets and resource groups per environment; least-privilege service identities.

Product Security Features

Invite-only access: Stakeholders join a case via expiring invites. Permissions are granular (view, upload, download, comment).
Case-centric repository: Documents are grouped by case, not by user, with status metadata and version history.
Audit exports: On-demand exports of access trails and case activity in PDF or CSV for audits, legal events, or compliance reviews.
Mobile app security: The patient companion app uses the same authentication, encryption, and access control standards as the web platform. No data is stored on-device beyond session tokens.

Vulnerability Management and Testing

Secure SDLC: Code reviews, dependency scanning, and CI/CD checks on every merge.
Scanning: Automated SCA and container/image scanning; infrastructure misconfiguration scans.
Penetration testing: Third-party penetration testing with summary findings available under NDA.

Incident Response

On-call coverage: Defined escalation to engineering leadership around the clock.
Playbooks: Triage, containment, forensic logging, notification, and post-mortems.
Notification: If an incident affecting user data occurs, we notify impacted customers without undue delay consistent with applicable law (including HIPAA breach notification requirements and California data breach statutes).

Data Retention and Deletion

We retain data as needed to provide the Services, meet HIPAA's 6-year minimum (or longer if required by law or a customer's retention policy), and fulfill legal obligations.

Sub-processors

We bind all sub-processors by contract to implement appropriate safeguards and to use data only to perform services for Auth Hero.

Microsoft Azure: Hosting, storage, networking, key management (US regions).

A current list of all sub-processors is available upon request. Customers are notified before new sub-processors are added.

Compliance Roadmap

SOC 2 Type I/II: Evaluation in progress. Timeline to be published.
HIPAA attestation package: Formal risk analysis documentation and security training attestations available to customers.
Self-serve privacy portal: In-app CCPA/CPRA request flow with documented response SLAs.

Contact

Questions, security reports, or BAA requests: security@authhero.com

We welcome good-faith security reports. Please avoid sharing PHI in initial emails.

Trust Center v2. Last updated April 10, 2026.

Auth Hero Trust Center

Who We Are

Security at a Glance

HIPAA Alignment

California Privacy (CCPA/CPRA)

Cloud Infrastructure

Product Security Features

Vulnerability Management and Testing

Incident Response

Data Retention and Deletion

Sub-processors

Compliance Roadmap

Contact

Auth Hero Trust Center

Who We Are

Security at a Glance

HIPAA Alignment

California Privacy (CCPA/CPRA)

Cloud Infrastructure

Product Security Features

Vulnerability Management and Testing

Incident Response

Data Retention and Deletion

Sub-processors

Compliance Roadmap

Contact