Security at Aura‑Chart

Healthcare security is complicated. Aura‑Chart makes it simple.

Patient‑first privacy

Built to safeguard PHI end‑to‑end and support HIPAA obligations.

Multiple layers of technical and procedural controls across our stack.

Clear data handling, access control, and incident response.

No permanent storage: Transcriptions and generated notes are processed to deliver your request and then discarded. We don’t keep PHI by default.
Encrypted in transit: All data sent to and from Aura‑Chart is protected with TLS 1.2+.
No model training on your data: Your prompts and outputs aren’t used to train foundation models.
Configurable retention (optional): If you enable exports or clinic‑level retention, data is stored per your policy; default is zero‑retention.
No PHI in logs: Operational logs exclude patient identifiers and clinical content.

Standards‑aligned: Security program mapped to NIST CSF/800‑53 principles and HIPAA requirements.
HIPAA‑ready infrastructure: Runs on HIPAA‑eligible services with strong isolation and monitoring.
BAA support: Business Associate Agreements available for covered entities and applicable partners.

Encryption everywhere: TLS 1.2+ in transit; AES‑256 at rest with managed keys (KMS).
Network hardening: Private networking, firewalling/WAF, least‑privilege service roles, environment isolation.
Secrets management: Centralized secret storage, rotation, and tight access scopes.
Backups and recovery: Encrypted backups and tested restore procedures.

Continuous scanning: SCA/SAST on every merge; dependency updates monitored and applied promptly.
Regular penetration testing: Independent assessments to validate our controls and findings remediation.
Secure SDLC: Code reviews, change management, and production deploy gates with automated checks.

Least privilege by default: Role‑based access (RBAC), just‑in‑time elevation for production support.
SSO + MFA: Strong authentication with MFA enforcement; SSO via SAML/OIDC available.
Auditability: Centralized logging of administrative actions and data access with periodic reviews.
Workforce safeguards: Background checks, security training, endpoint/device protections.

Data minimization: We collect the minimum necessary to deliver care‑support features.
No model training on your data: Prompts and outputs from your environment are not used to train foundation models by default.
Configurable retention: Flexible retention windows and deletion workflows; export on request.
Third‑party boundaries: No sharing of PHI/PII with third parties except contracted, HIPAA‑eligible subprocessors under appropriate agreements.

AI assistant, not a data siphon: Medication suggestions and note generation respect the same privacy controls as the rest of the platform.
Scoped processing: Data used strictly to fulfill your requested action (e.g., generate a note, suggest medications), then handled per your retention policy.

24×7 on‑call: Defined triage, containment, and eradication procedures with executive oversight.
Customer notifications: Breach notification workflows aligned to HIPAA requirements.
Business continuity: Redundancy and disaster recovery plans with defined RTO/RPO targets.

HIPAA support: Security controls designed to support your HIPAA compliance program; BAAs available.
Security documentation: Detailed policies, subprocessors list, and data‑flow diagrams available upon request.

Zero known breaches: We maintain strong preventative and detective controls and continuously improve our posture.