Security at eCareHRMS
We treat security as a first-class product feature. Every eCareHRMS customer benefits from a layered security posture built on HIPAA, SOC 2, HITRUST, and modern cloud-native controls.
Compliance & certifications
HIPAA-compliant with signed Business Associate Agreement (BAA) for every customer. SOC 2 Type II audited annually by a Big 4 firm. HITRUST CSF v11 certification roadmap in progress.
Data protection
AES-256 encryption at rest for all PHI. TLS 1.3 in transit. Customer-managed encryption keys (CMK) available for enterprise plans. Field-level encryption for select PHI columns.
Access & identity
Role-based access control (RBAC), least-privilege defaults, MFA required for admin roles, SSO via SAML 2.0 and OIDC. Just-in-time access for employees with full audit trails.
Network & infrastructure
Hosted on AWS US regions with multi-AZ failover. Private VPCs, no public database endpoints, WAF and DDoS protection at the edge. Continuous vulnerability scanning and quarterly third-party penetration tests.
Privacy & data minimization
We collect only the data needed to operate the service. We do not train AI models on customer PHI without explicit consent. Customers own their data and can export at any time in standards-based formats (FHIR, CSV).
Incident response
24/7 security operations with documented incident response runbooks. Customer notification within 24 hours of confirmed breach involving PHI, per HIPAA and state breach notification laws.
Need our security packet?
Email security@medarch.com to receive our SOC 2 Type II report, HIPAA BAA template, pen-test summary, and infrastructure overview under NDA.