Built to be audited.
Authora is engineered around the constraints of a regulated industry. Every claim on this page links to evidence — current certifications, in-progress audits with dates, and the gaps we will not pretend to have closed.
What is true today, what is in flight, and when each completes.
| Standard | Scope | Status | Auditor | Last verified | Next milestone |
|---|---|---|---|---|---|
| HIPAA Security Rule | Platform | Conformant | Self-attested | 2026-04-12 | Q3 2026 external attestation (Vanta) |
| SOC 2 Type I | Platform | In progress | Vanta + auditor TBD | Evidence collection | Target Q3 2026 |
| SOC 2 Type II | Platform | Planned | — | — | Target Q1 2027 |
| HITRUST CSF | Platform | Planned | — | — | Track started Q2 2026 |
| NCQA UM Accreditation | Delegated UM | Planned | NCQA | — | Application open Q4 2026 |
| CAQH CORE Certification | X12 278 / 270 / 271 | In progress | CAQH | Test phase | Target Q3 2026 |
| FedRAMP Moderate | Platform | Roadmap | — | — | Target FY27 if first government customer signs |
| ISO 27001 | Platform | Roadmap | — | — | Pairs with SOC 2 Type II |
| WCAG 2.2 AA | Web | Conformant | axe-core + Deque manual | 2026-05-01 | Q3 2026 external audit |
| Section 508 | Web | Conformant | Self-attested | 2026-05-01 | Pairs with WCAG external |
PHI at rest, in transit, and in process.
At rest, AES-256-GCM with customer-managed keys via AWS KMS as an option, on a 90-day rotation. In transit, TLS 1.3 minimum across every internal and external hop. In process, PHI is handled inside memory-encrypted enclaves on dedicated worker pools. No customer PHI is ever logged to disk in plaintext, and no analytics pipeline receives identifiable data.
All PHI lives in us-east-2 (Ohio). Multi-region failover is restricted to US regions. No data ever leaves the United States. Customer-controlled deletion is honored within 30 days of contract termination, with a signed certificate of destruction delivered to the customer's compliance officer.
Role-based access with strict tenant isolation enforced at the database, application, and audit-log layers. Break-glass access for engineering requires dual-control approval, time-bound credentials, and an immutable audit entry. No engineer touches a single byte of customer PHI without a logged, dual-approved access ticket — including the founders.
Every read, every write, every decision — accountable.
Every read, every write, every decision, every integration call is captured. Entries are SHA-256 chained per-tenant, delivered daily by SFTP to a customer-controlled S3 bucket with a customer-managed KMS key. 7-year retention. The chain can be independently verified — we publish the verification tool.
Your named compliance officer can request a full export of any slice of the audit log — by patient, by case, by date range, by integration — and receive it within a 24-hour SLA. No fee, no negotiation. This is part of the BAA, not a paid add-on.
Material security events are disclosed in writing within 24 hours. Breaches affecting PHI are disclosed within 60 days as required by the HIPAA Breach Notification Rule. The status page is public and historical; nothing is quietly redacted.
Authora executes a BAA before any production data flow. Our template is based on the OCR sample, with payer-specific addenda available for the major commercial plans. Download our standard BAA template for legal review prior to procurement.
The section that wins trust.
SOC 2 Type II will not complete until Q1 2027. Until then, customers should reference our SOC 2 Type I evidence pack and our HIPAA self-attestation.
FedRAMP authorization is on the roadmap pending a government customer LOI. Federal use cases are gated on this and we will not pretend otherwise.
Authora has not yet completed an independent NCQA UM audit. Delegated UM operations contracts will be conditioned on customer-supervised parallel review for the first 90 days.