Trust
Trust & Security at Accurecord
Security and compliance are foundational to how we handle Protected Health Information — not bolted on.
Accurecord handles Protected Health Information (PHI) for medical coding. Security and compliance are foundational, not bolted on.
Compliance status
| Framework | Status |
|---|---|
| HIPAA | Compliant — BAA available before any PHI is processed |
| SOC 2 Type II | In progress — observation window underway (target Q4 2026) |
| HITRUST | On roadmap |
How we protect PHI
- Encrypted at rest — AES-256-GCM on PHI in our owned tables; secrets in Azure Key Vault.
- Encrypted in transit — TLS 1.2+ everywhere; HSTS, strict CSP, and security headers on every response.
- Minimized before AI — identifiers are scrubbed before any LLM call; our LLM subprocessor is configured for zero data retention.
- BAA-gated — PHI features are disabled until a Business Associate Agreement is signed.
- Fully audited — every PHI access is written to a HIPAA Accounting-of-Disclosures ledger (45 CFR §164.528) and is customer-exportable (CSV / FHIR AuditEvent).
- Access controlled — per-organization tenancy, hashed API keys with tiered access, enterprise SSO (OIDC, SAML), SCIM provisioning, and automatic blocking of credential-stuffing IPs.
Subprocessors
| Subprocessor | Purpose | PHI access |
|---|---|---|
| Microsoft Azure | Hosting (Container Apps, PostgreSQL, Key Vault) | Yes — BAA signed |
| OpenAI | LLM coding inference on PHI-scrubbed input | Limited — BAA signed, zero-retention |
| Stripe | Billing | No |
Subscribe for subprocessor-change notifications: [email protected].
Documents
- Privacy Policy · Terms of Service · DPA · SLA — accurecord.io/privacy, /terms, /dpa, /sla
- Request a BAA: [email protected]
- Request our SOC 2 report / security questionnaire (under NDA): [email protected]
Report a vulnerability
Email [email protected]. We acknowledge reports within 2 business days and do not pursue good-faith researchers who follow coordinated disclosure.