The hard part of any healthcare GCC — owned.
For procurement and security reviewers: this is how we handle HIPAA, BAAs, data, identity, and audit. Not a posture we promise to build — one we already run for a live US healthcare product.
HIPAA controls
Administrative, physical, and technical safeguards implemented and maintained — the same controls behind our own product.
BAA before access
A Business Associate Agreement is executed before any team member touches protected health information. No exceptions.
SOC 2 underway
A formal SOC 2 program is in progress, building on the controls already operating in production.
Data-handling SOPs
Documented standard operating procedures for data classification, storage, transit, and disposal — auditable end to end.
Access & identity governance
Least-privilege access, role-based controls, and identity governance across every environment your team touches.
Zero-trust posture
Security-by-design, not security-by-afterthought — verification at every boundary, with audit-ready documentation.
For your security review
We're built to pass procurement and security diligence — because we've passed it ourselves, with paying US healthcare clients. Request our compliance overview and we'll walk your reviewers through controls, evidence, and the BAA process.
Compliance, answered.
When is the BAA executed?
Are these controls aspirational or real?
What is your SOC 2 status?
How do you handle data residency and disposal?
Send us your security questions.
We'll provide a compliance overview and walk your reviewers through controls and evidence — before you commit to anything.