How we protect your practice data and patient information
Last updated: April 10, 2026
Security Overview
Phyxem AI Suite handles sensitive healthcare data, and security is foundational to every layer of our platform. We follow a defense-in-depth approach — combining strong cryptography, strict access controls, continuous monitoring, and documented incident response procedures.
Our security program is aligned with SOC 2 Type II and HIPAA Security Rule requirements. We undergo regular third-party assessments and maintain an active vulnerability management program.
Data Encryption
AES-256-GCM at Rest
PHI fields are encrypted with AES-256-GCM using authenticated encryption. Keys are managed separately from the database and rotated regularly.
TLS 1.3 in Transit
All connections use TLS 1.3 with modern cipher suites. HSTS is enforced. Certificate pinning protects our mobile apps against MITM attacks.
Authentication & Access Control
Multi-Factor Authentication (MFA): Available for all user accounts and required for administrators.
Password policy: Strong password requirements with breach-compromised password detection.
Role-Based Access Control (RBAC): Granular permissions by role (owner, provider, staff, patient).
API authentication: Bearer token authentication with short-lived tokens and refresh rotation.
Organization isolation: Every API request verifies organization membership before returning data.
Infrastructure Security
SOC 2 Certified Providers
Hosted on Vercel, Supabase, and Neon Postgres — all SOC 2 Type II certified with documented physical and environmental controls.
Continuous Monitoring
Real-time intrusion detection, anomaly alerting, and 24/7 log aggregation. Security events are reviewed daily.
Secrets Management
Environment variables are encrypted at rest and scoped per environment. No secrets are committed to source control.
Automated Backups
Databases are backed up hourly with point-in-time recovery. Backups are encrypted and tested regularly.
Application Security
Secure development lifecycle: Security requirements are integrated into design, development, and deployment.
Static analysis: Every commit is scanned for vulnerabilities, secrets, and dependency issues.
Dependency scanning: Automated alerts for vulnerable dependencies with mandatory patching SLAs.
Input validation: All user input is validated and sanitized to prevent injection attacks.
Rate limiting: API endpoints are rate-limited to prevent abuse and credential stuffing.
Webhook signatures: Inbound webhooks are verified with HMAC-SHA256 signatures.
Content Security Policy: Strict CSP headers prevent XSS and data exfiltration.
Audit Logging
Phyxem logs every access to PHI with full attribution:
User identity and role
Timestamp and source IP
Action performed (view, create, update, delete, export)
Record identifier and organization
Success or failure status
Audit logs are tamper-evident, retained for 7 years per HIPAA requirements, and available for customer review through the admin dashboard.
Vulnerability Management
We maintain a proactive vulnerability management program:
Annual penetration testing by independent security firms
Continuous vulnerability scanning of infrastructure and dependencies
Patching SLAs: Critical vulnerabilities patched within 24 hours, high within 7 days
Bug bounty program: We welcome responsible security research (see below)
Incident Response
Our incident response plan defines clear procedures for detecting, containing, investigating, and recovering from security incidents. Key elements:
24/7 on-call security team with defined escalation paths
Documented runbooks for common incident types
Post-incident reviews and remediation tracking
Customer notification within 60 days per HIPAA Breach Notification Rule
Regular tabletop exercises to test response readiness
Data Residency & Retention
All customer data is stored in the United States in SOC 2 certified cloud regions. Data retention is configurable per customer, with default retention aligned to HIPAA requirements (7 years for medical records).
Upon account termination, customer data is retained for 90 days to allow export, then securely deleted. Backups are purged within 180 days.
Employee Security
Background checks on all employees with access to production systems
Mandatory security awareness training annually
Least-privilege access provisioning with quarterly access reviews
Device management: MDM-enforced encryption and automatic patching on all company devices
Offboarding procedures that revoke access within 1 hour of termination
Report a Security Issue
If you believe you have discovered a security vulnerability in Phyxem, please report it privately so we can investigate and remediate before any public disclosure.
Response time: Initial acknowledgment within 24 hours
We commit to investigating all legitimate reports, working with you to understand and resolve the issue, and acknowledging your contribution with your permission.
Compliance & Certifications
HIPAA CompliantSOC 2 AlignedTLS 1.3AES-256 EncryptionUS Data Residency
Contact
For security questions, BAA requests, or compliance documentation: