A
Advanth

Security & Compliance

Regulatory-grade by design.

AHAI was built from day one for HIPAA-regulated environments. Every requirement is testable, traceable, and audit-ready.

HIPAA

PHI access controls, minimum-necessary enforcement, BAA-backed vendors, and 7-year audit retention.

SOC 2

Security, availability, and confidentiality controls aligned to SOC 2 trust service criteria.

TCPA

Consent validated before every outbound communication. Revocations take effect immediately.

PCI-DSS SAQ-A

Tokenized hosted-checkout payments. PAN and CVV never enter the AHAI environment.

Data protection

  • • AES-256 at rest with per-tenant KMS customer-managed keys (rotated every 365 days)
  • • TLS 1.2+ in transit; legacy protocols rejected at the WAF
  • • Tenant_id partition key on every entity; cross-tenant access blocked and alerted as P1
  • • PHI never appears in logs, event headers, or error messages
  • • Secrets stored exclusively in AWS Secrets Manager with auto-rotation

Operational resilience

  • • ≥99.9% monthly availability target with Multi-AZ ECS, RDS, and ALB
  • • RTO < 4 hours, RPO < 15 minutes for critical services
  • • Circuit breakers on every external dependency, with audited state transitions
  • • Dead letter queues with RBAC-gated replay — zero tolerance for silent drops
  • • Quarterly DR tabletop exercises and kill-switch drills

AI governance

  • • Non-SaMD: AI outputs are advisory; clinical decisions remain with the provider
  • • Hourly drift detection with auto-rollback at critical thresholds
  • • Model versions pinned, audited, and approved by clinical leadership before promotion
  • • Tenant-scoped AI kill switch propagates within 30 seconds
  • • Every AI-generated artifact carries the model version ID end-to-end

Vendor governance

  • • Every PHI vendor requires an executed BAA before production enablement
  • • MedPlum FHIR R4 self-hosted inside the AHAI VPC — vendor has zero PHI access
  • • Component-level RACI with named escalation owners
  • • Incident response SLAs: P1 containment under 30 minutes
  • • HIPAA breach notification workflows pre-defined and rehearsed

Need our compliance documentation?

We provide SOC 2 reports, BAAs, security questionnaires, and architecture documentation under NDA.

Contact Compliance