Compliance

Standards we meet

HIPAA Compliant
Business Associate Agreements in place with all employers and vendors handling PHI
AES-256 Encryption
All health data encrypted at rest and in transit using industry-standard protocols
Annual Pen Testing
Independent penetration testing conducted every year by a third-party security firm
How we protect your data

Six layers of protection

Encryption everywhere
All health data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed through a dedicated key management service and rotated annually. No health data exists in plaintext anywhere in our system.
Strict access controls
Access to Protected Health Information is limited to personnel whose role requires it. All internal access requires multi-factor authentication. Access rights are reviewed quarterly and revoked immediately upon role change or departure.
Immutable audit logs
Every access to health data is logged with a timestamp, user ID, and action taken. Logs are write-once and cannot be modified or deleted. Audit logs are reviewed monthly by our security team and available to employers upon request under HIPAA.
Third-party penetration testing
An independent security firm conducts a full penetration test of our infrastructure and application layer annually. Findings are remediated within 30 days for critical issues and 90 days for all others. Employers may request a summary of the most recent test results.
Vendor security requirements
Every third-party vendor that handles health data on our behalf signs a Business Associate Agreement and must meet our minimum security standards. We review vendor security posture annually and immediately terminate relationships where standards are not maintained.
Breach notification
In the event of a security incident affecting PHI, we notify affected individuals and employers within the timeframes required by HIPAA — no later than 60 days from discovery. We maintain a documented incident response plan tested annually.
Technical specifications

The specifics, for your IT team

Data encryption at rest AES-256
Data encryption in transit TLS 1.3
Authentication standard OAuth 2.0 + PKCE
Internal access authentication MFA required
Cloud infrastructure AWS US-East (HIPAA eligible)
Data residency United States only
Penetration testing Annual · Third-party
Business Associate Agreements All employers + vendors
Audit log retention 7 years
Uptime SLA 99.9%
Incident response SLA (critical) 2 hours
Security documentation available Yes · On request

Security questions or concerns?

For security documentation requests, vendor security reviews, or to report a potential vulnerability, contact our security team directly.

security@getpario.com Contact page

To report a vulnerability, please email us directly rather than filing a public issue. We respond to all security reports within 24 hours.