SECURITY & COMPLIANCE
Built for healthcare-grade trust.
Polify is designed from the ground up to meet the security and compliance requirements of healthcare organizations. Every architectural decision reflects the sensitivity of the data our customers work with.
COMPLIANCE POSTURE
HIPAA
HIPAA-ready infrastructure
SOC 2
Type II in progress
GDPR
GDPR compliant
TLS 1.3
In-transit encryption
Data handling
Encryption at rest
All data encrypted using AES-256. Encryption keys are managed by our KMS (Key Management Service) with automatic rotation.
Encryption in transit
All data transmitted over TLS 1.3. Older protocol versions are rejected at the load balancer level.
Tenant isolation
Each customer's data is logically isolated. Cross-tenant data access is architecturally prevented, not just policy-controlled.
Access controls
Single Sign-On (SSO)
SSO via SAML 2.0 is available on Enterprise plans. Supports Okta, Azure AD, Google Workspace, and any SAML-compliant identity provider.
SCIM provisioning
Automated user provisioning and deprovisioning via SCIM 2.0 on Enterprise plans. Users removed from your IdP are immediately deprovisioned in Polify.
Role-based access
Admin, Editor, and Viewer roles with granular permission controls. Admins can restrict access to specific payers, report categories, or features.
Audit & logging
Comprehensive audit trail
Every read, write, export, and login event is logged with user ID, timestamp, IP address, and action detail.
Exportable logs
Audit logs are exportable in JSON or CSV format from the admin panel. Enterprise customers can stream logs to their SIEM via webhook.
Retention
Audit logs are retained for 12 months on Standard and above. Enterprise customers can configure extended retention up to 7 years.
Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure and hosting | United States |
| Anthropic | AI model inference for Ask Polify | United States |
| Stripe | Payment processing | United States |
| SendGrid | Transactional email delivery | United States |
| Datadog | Application monitoring and logging | United States |
HIPAA Business Associate Agreement (BAA)
A HIPAA Business Associate Agreement is available on Standard plans and above. Enterprise customers receive a custom BAA as part of their contract. Download our standard BAA template or contact sales to negotiate custom terms.
Request a BAA →Security contact
To report a vulnerability, request a penetration test report, or ask security-specific questions, contact our security team directly. We respond to all security inquiries within 24 hours.
security@polify.com →