Trust

Security & HIPAA Posture

Last reviewed: April 2026

Data protection

PHI fields (clients, staff, clinical notes) are encrypted at rest with AES-256-GCM using per-tenant HKDF-derived keys. All traffic is TLS 1.2+ with HSTS enforced.

Access controls

Role-based access (owner, admin, clinician, biller, viewer) and Firestore tenant isolation. Email verification and step-up re-auth are required for sensitive actions. MFA is available on the account security page.

Auditability

Every PHI read/write, BAA acceptance, DSR request, and admin action is recorded in a tamper-evident audit log. Admins can export the log as CSV for compliance review.

Business Associate Agreement

A Business Associate Agreement (BAA) is required before any PHI workflow is enabled. See the BAA page for the current version.

Incident response

We follow the HHS 60-day breach notification rule. Report a security issue to security@agenciesforge.com.