Security & compliance
HIPAA-compliant by architecture. Not by attestation.
ABHOS was built to handle PHI from the first migration. Every architectural decision was made with HIPAA, the 2026 NPRM, and your compliance officer in mind.
Compliance posture
Signed BAAs across every vendor that touches PHI.
HIPAA
Full compliance posture, production-ready.
Active
Supabase BAA
Database, auth, storage, edge functions. HIPAA add-on active.
Signed
Vercel Enterprise BAA
Hosting, edge runtime, deployment.
Signed
Google Cloud BAA
All PHI-touching AI calls route through Google Vertex AI under GCP's BAA.
Signed
Twilio HIPAA
SMS for appointment reminders. HIPAA-eligible account.
Signed
SOC 2 Type II
Independent audit in progress.
In Progress
Architecture
Per-tenant isolation. Cross-tenant access is impossible.
Most behavioral health EHRs use shared-database multi-tenancy. Every customer's PHI lives in the same database, separated only by row-level security policies. If a misconfigured policy lets one customer query another customer's data, the breach is silent and total.
ABHOS uses per-tenant isolation. Every customer gets their own Supabase project, their own Vercel deployment, their own Resend account, and their own subdomain on abhos.com. There is no shared database. There is no shared connection pool. Cross-tenant access is not a configuration mistake away — it's a physical impossibility.
This is more expensive to operate. We do it because it's the right call for healthcare.
Per-tenant isolation
Every customer gets their own stack. Nothing is shared.
Customer A
- Vercel deployment
- Supabase project — DB · Auth · Storage
- Resend account
Customer B
- Vercel deployment
- Supabase project — DB · Auth · Storage
- Resend account
Customer C
- Vercel deployment
- Supabase project — DB · Auth · Storage
- Resend account
No shared database · No shared connection pool · No cross-tenant access
Controls
What we do, specifically.
- Per-tenant data isolation.
- Separate Supabase project per customer. No shared DB.
- MFA mandatory for clinicians.
- TOTP-based AAL2 enforcement, aligned with the 2026 NPRM.
- PHI never in logs or URLs.
- Audit logs track access; PHI itself is filtered out of telemetry.
- AI under BAA only.
- All PHI-touching AI routes through Google Vertex AI under GCP's BAA.
- PIN-gated signing.
- 4–6 digit bcrypt-hashed, 3-attempt lockout, audited per 45 CFR 164.308(a)(4).
- Encryption at rest and in transit.
- AES-256 at rest via Supabase Storage. TLS 1.3 in transit.
- Audit logging.
- Every PHI read, write, and access logged with user, timestamp, and IP.
- Breach response.
- Customer notified within 24 hours of any security incident affecting PHI.
- Vendor BAA management.
- No new PHI flows enabled until vendor BAA is signed. Fail-closed by default.
- Data residency.
- Supabase West US Oregon region. No cross-region replication without customer consent.
Subprocessors
Every vendor that touches PHI. Documented.
| Subprocessor | Purpose | BAA Status |
|---|---|---|
| Supabase | Database, auth, storage | Signed |
| Vercel | Hosting, edge runtime | Signed |
| Google Cloud | AI (Vertex AI), Workspace | Signed |
| Twilio | SMS appointment reminders | Signed |
| Office Ally | EDI claims clearinghouse | Customer-owned |
| Surescripts | E-prescribing | Customer-owned |
| Resend | Transactional email | Pending |
Resend BAA pending Workspace DNS configuration. No PHI-touching email flows enabled until BAA is in place.
Compliance review questions?
Email accounts@hellaintel.com or request a security walkthrough with our engineering lead.