Effective Date: October 25, 2025
Status: Pilot onboarding in California only
Who we are
Auth Hero is a HIPAA-aligned, case-centric document repository for California workers' compensation stakeholders (clinics, employers, attorneys, payers). We are currently pre-MVP and limiting access to invited pilot users in California.
Scope (Phase 1)
Geography: We operate and host in the United States; we currently serve California organizations only.
Data types (today): Pilot onboarding data, test/synthetic case data, limited user/account data, support communications.
Protected health information (PHI): Our system is designed for HIPAA Security Rule safeguards and auditability. Until production pilots start, we avoid ingesting real PHI outside of defined test agreements and controls. (See "HIPAA alignment" below.)
Security at a glance
- Encryption in transit: TLS 1.3+ for all browser- and API-based connections. TLS 1.3 modernizes the handshake and mandates strong ciphers to protect data from interception and downgrade attacks.
- Encryption at rest: End-to-end AES-256 on platform data at rest using cloud-native encryption services. (Azure Storage/managed disks encrypt data at rest with AES-256 by default.)
- Access control: Role-based, least-privilege access; every invitation is explicit and time-bound; admin actions and data access are logged.
- Audit logging: Immutable logs on access, downloads, permission changes, and exports with user, time, IP/device metadata.
- Environment isolation: Segregated dev/test/prod environments; no production data in lower environments.
- Dependency hygiene: Continuous vulnerability scanning on builds; rapid patching for high-severity issues.
- Backups & recovery: Daily encrypted backups with periodic restore tests (policy details coming in Phase 2).
HIPAA alignment (security & auditability)
We design to the HIPAA Security Rule safeguards (administrative, physical, and technical) and to audit-grade access trails, including: unique user IDs, access control, integrity, transmission security, and comprehensive activity logs. (45 CFR §164.308, §164.310, §164.312). We are building toward Business Associate Agreements (BAAs) with covered entities as we enter production pilots.
Today (Phase 1):
- Technical and organizational controls mapped to HIPAA Security Rule safeguards.
- Audit logs for access/changes; exportable for investigations.
- Encryption at rest (AES-256) and in transit (TLS 1.3+).
Next (Phase 2/3):
- Signed BAAs with pilot clinics; formal risk analysis documentation and security training attestations.
California privacy (CCPA/CPRA)
Because we operate in California, we respect California privacy requirements (CCPA as amended by CPRA). As we move from pre-MVP to pilot, we will provide user-friendly processes for rights to know/access, correct, delete, and limit certain uses, along with clear notice of our data practices.
Today (Phase 1):
- Minimal data collection (account and support data only).
- No sale or sharing of personal information.
Next (Phase 2):
- Self-serve access/deletion request flow and designated request channels consistent with CPRA guidance.
Cloud infrastructure
- Provider: Microsoft Azure (US regions).
- Encryption services: Azure Storage/managed disk encryption at rest with AES-256; keys managed via cloud KMS.
- Transport security: TLS 1.3+ enforced on all endpoints.
- Network & isolation: Separate VNets and resource groups per environment; least-privilege service identities.
Product security features (pilot)
- Invite-only access: Stakeholders join a case via expiring invites; permissions are granular (view/upload/download/comment).
- Case-centric repository: Documents are grouped by case, not by user, with status metadata (pending/overdue/complete).
- Audit exports: On-demand exports of access trails and case activity for audits/legal events. (Formats finalized in Phase 2.)
For a sense of "what good looks like," our security program takes cues from industry trust centers that publish concrete measures and certifications (e.g., Atlassian's published security measures around AES-256 at rest and TLS in transit).
Vulnerability management & testing
- Secure SDLC: Code reviews, dependency scanning, and CI/CD checks on every merge.
- Scanning: Automated SCA and container/image scanning; infrastructure misconfiguration scans.
- Penetration testing: Third-party pen test scheduled ahead of production pilots; summary findings will be shared under NDA.
Incident response
- 24×7 on-call: Defined escalation to engineering leadership.
- Playbooks: Triage, containment, forensic logging, notification, and post-mortems.
- Notification: If an incident affecting user data occurs, we will notify impacted customers without undue delay consistent with applicable law (including California requirements).
Data retention & deletion
Retention (Phase 1): Minimal retention—test/synthetic data only; support records retained for troubleshooting and legal requirements.
Deletion: Customer data will be deleted upon request or at the end of a pilot agreement, subject to legal holds and backup cycles.
Sub-processors (Phase 1)
Microsoft Azure (hosting, storage, networking). (Details above.)
Additional sub-processors will be listed here before production pilots begin.
Roadmap to Phase 2 (pilot) and Phase 3 (general availability)
- Pilot readiness: BAA templates; formal HIPAA risk analysis artifacts; third-party pen test.
- Privacy operations: Self-serve CPRA request portal and documented response SLAs.
- Compliance targets: HIPAA attestation package for customers; SOC 2 Type I/II evaluation (timeline to be published).
Contact
Questions, security reports, or request a BAA/pilot: support@authhero.com
We welcome good-faith reports. Please avoid sharing PHI in initial emails.
Versions
Trust Center v1 (current)