Security at RevelAi Health
RevelAi Health is built to support clinical teams and healthcare organizations with security, privacy, and reliability at the core. We protect sensitive data through a defense-in-depth security program aligned to industry best practices and healthcare regulatory requirements.
Compliance & Assurance
SOC 2 Type II compliant.
Our SOC 2 Type II audit (Security, Availability, and Confidentiality Trust Service Criteria) demonstrates that our controls are not only designed effectively, but operate consistently over time. SOC 2 is widely recognized as the leading assurance framework for SaaS security programs.
HIPAA compliant.
RevelAi Health maintains administrative, physical, and technical safeguards in alignment with the HIPAA Security Rule for protecting electronic PHI (ePHI). We support HIPAA workflows and sign Business Associate Agreements (BAAs) with covered entities as needed.
Continuous risk management.
We perform regular risk assessments and security reviews, and our program is continuously monitored and improved.
Data Protection
Encryption in transit and at rest.
All sensitive data is encrypted during transmission and while stored to prevent unauthorized access.
Secure data handling.
We follow the principle of least privilege and data minimization, collecting only what is needed to deliver our services and clinical workflows.
Backups & recovery.
We maintain routine backups and tested recovery procedures to help ensure data durability and availability.
Product & Application Security
Secure development lifecycle.
Security is integrated into how we build. We use secure coding practices, peer review, automated testing, and vulnerability scanning throughout development.
Vulnerability management.
We continuously monitor for vulnerabilities, patch quickly, and regularly review dependencies and infrastructure for emerging risks.
Audit logging.
Access to systems and sensitive data is logged to support monitoring, investigations, and compliance reporting.
Access Controls & Identity
Role-based access control (RBAC).
Customer data is accessible only to authorized users based on role and need.
Strong authentication.
We support modern authentication methods and require secure passwords and session controls for platform access.
Internal access safeguards.
RevelAi employees access customer data only when necessary for support or operations, and always under strict access policies and monitoring.
Data Privacy
Customer data belongs to you.
We never sell customer data. We use customer data only to provide and improve our services, consistent with contractual and regulatory obligations.
Privacy by design.
We limit data exposure, segregate environments, and use privacy-preserving defaults across the platform. HIPAA’s Privacy and Security Rules are key anchors for how we govern PHI.
Retention & deletion.
We retain data only as long as required for clinical, operational, or legal purposes and support secure deletion when data is no longer needed.
Infrastructure Security
Secure cloud hosting.
Our platform is hosted in reputable, compliant cloud infrastructure with strong physical and network safeguards.
Network protection.
We use layered network security controls such as segmentation, firewalling, and threat monitoring.
Incident Response
Prepared and tested.
We maintain an incident response plan designed to identify, contain, remediate, and learn from security events.
Breach notification.
If a security incident impacts PHI, we follow HIPAA breach notification requirements and work with customers promptly and transparently.
Working With Healthcare Organizations
We understand that healthcare clients need both rigorous controls and operational transparency. We’re happy to provide:
SOC 2 Type II report under NDA
BAA (Business Associate Agreement)
Security questionnaire support
Architecture and data-flow reviews
Penetration test summaries
Contact
Have a security question, need documentation, or want to start a review?
Contact us at hello@revelaihealth.com.