Trust & Security — ProofOps Medical

HIPAA Compliant Business Associate. Signed BAA template, Security Risk Assessment, Incident Response Plan, 7 admin policies, sub-processor BAA tracker — full legal pack available under NDA. BAA signed before any PHI moves. AES-256 at rest, TLS 1.3 in transit. Least-privilege staff access with MFA + WebAuthn passkey (FaceID / Touch ID) on every email-action approval. Audit-logged. No customer data is used to train third-party foundation models. SOC 2-aligned controls documented; formal Type II audit will be scheduled when our enterprise / multi-location customer base requires it.

1. HIPAA & the Business Associate Agreement

To the extent ProofOps processes Protected Health Information ("PHI") as defined under 45 CFR § 160.103, ProofOps acts as a Business Associate. We sign a Business Associate Agreement ("BAA") with every customer before any PHI is loaded into the system. The BAA covers permitted uses, breach notification within 24 hours of confirmed breach, sub-processor flow-downs, and return or destruction of PHI on termination.

Customers can request the standard ProofOps BAA at support@proofopsmedical.com. Material modifications are reviewed case-by-case.

2. Data classification & what we collect

Public data — content on our website.
Account data — customer billing, staff roster, vendor list, license numbers, EMR connection metadata.
Customer Data — manifests, training certificates, SDS sheets, BAAs, incident logs, audit records.
PHI — schedule data, GFE records, and any document that includes patient identifiers and clinical information, processed under the BAA.

We collect the minimum necessary for the service. We do not collect, store, or process Social Security numbers, full payment-card numbers (PCI handled by our processor), or government-classified information.

3. Encryption

In transit: TLS 1.3 enforced on all customer-facing endpoints.
At rest: AES-256 on application data and document storage. Database backups are encrypted with separate key material.
Key management: managed-KMS rotation; no plaintext key material on developer machines.
Email and SMS: messages to staff and customers do not contain PHI by default; clinical detail is delivered behind authenticated links to the customer portal.

4. Access control

Single sign-on with mandatory multi-factor authentication for ProofOps staff.
Role-based access; engineering does not have standing access to production customer data. Just-in-time elevation with audit log on every access.
Customer Account Owners can manage user access in the portal; user activity is logged and exportable.
Annual access reviews; immediate revocation on staff departure.
WebAuthn passkey (FaceID / Touch ID) required for every email-action approval (action-token dispatch). No data breaches by misclick — every consequential action requires biometric confirmation.
Magic-link sign-in (60-min validity) available as a password alternative; rate-limited and single-use.
PWA-installable on iOS + Android — home-screen install, biometric-locked, works as the customer's daily compliance app.
SMS one-tap approvals (Y / N / APPROVE / DECLINE) for low-risk decisions like vendor chase replies. High-risk actions (legal-draft sign-off, breach-notification dispatch) always route through FaceID + WebAuthn on the portal.

5. Technology & workflow safety

Customer Data and PHI are not used to train foundation models. We use commercial model providers under enterprise terms with no-train commitments and signed BAAs where required.
Voice workflows that call vendors on your behalf operate under recorded scripts, with call recordings stored as evidence in the customer's binder.
All workflow outputs are reviewed against guardrails before delivery: no clinical advice, no legal advice, no actions outside the customer's scope. A real person reviews and signs off before any consequential action.
Customers can disable any workflow at any time from the client portal.

6. Audit logging & monitoring

Tamper-evident audit logs for document uploads, edits, deletions, workflow actions, integration connects/disconnects, and user logins.
Centralized log aggregation with anomaly alerting.
Customer-visible activity feed in the portal.
Audit logs retained for at least 6 years to support compliance review and claim investigation.

7. Vulnerability management & coordinated disclosure

Built on managed, automatically-patched infrastructure — Vercel for the application and edge, Supabase for Postgres, authentication, and storage — so platform-level security patches are applied by the vendor without manual intervention.
Application dependencies are reviewed and updated as part of regular maintenance.
Coordinated disclosure: report security issues to support@proofopsmedical.com. We commit to acknowledge within 24 hours.

8. Incident response

We maintain a documented incident-response plan with on-call rotation, severity tiers, customer-notification SLAs, and post-incident reviews. Confirmed breaches involving PHI are notified to affected customers within 24 hours per the BAA.

8b. FIPA & the dual breach-notification clock

Florida-based customers operate under both the federal HIPAA Breach Notification Rule (45 CFR 164.404 — 60 days) and the Florida Information Protection Act (FIPA), Florida Statute § 501.171 — 30 days. These obligations are cumulative; the shorter FIPA clock controls notification to affected individuals. If a breach affects more than 500 Florida residents, the Florida Attorney General must also be notified within 30 days under § 501.171(3). If 1,000+ individuals nationwide are affected, consumer reporting agencies must be notified without unreasonable delay under § 501.171(5). Penalties under § 501.171(9) reach up to $500,000 per breach.

ProofOps Medical tracks both clocks per incident, surfaces the earlier deadline in the daily brief, and prepares the three required FIPA letter scaffolds (individual notification under § 501.171(4) + 45 CFR 164.404, Florida AG notification under § 501.171(3), consumer reporting agency notification under § 501.171(5)) the moment the incident is classified as a confirmed breach. Drafts route through the Legal Drafts workflow for attorney finalization; ProofOps does not file on the customer's behalf.

9. Backups, business continuity, disaster recovery

Encrypted scheduled backups, multi-AZ.
Recovery time objective (RTO): 8 hours for production restoration.
Recovery point objective (RPO): 1 hour for transactional data; 24 hours for object storage.
Annual disaster-recovery exercises.

10. Compliance posture

HIPAA — Privacy and Security Rules controls implemented; BAA available.
SOC 2 — controls aligned with the Security, Availability, and Confidentiality Trust Service Criteria are documented internally today. A formal third-party Type II audit will be scheduled when our enterprise or multi-location customer pipeline justifies the engagement. Customers and prospects under NDA may request our internal controls matrix in the interim.
GDPR / UK GDPR — Data Processing Addendum available for customers with EEA or UK data subjects.
State privacy laws — Florida Digital Bill of Rights (FDBR) and other comprehensive U.S. state privacy laws supported on request.

11. Sub-processors

ProofOps relies on a small set of vetted sub-processors to deliver the service. The current list is reviewed quarterly and tracked in our sub-processor BAA inventory (available under NDA). Current sub-processors:

Supabase — Postgres database + Storage + Auth. BAA signed on Pro plan. PHI processed and stored in US-only regions.
Vercel — application hosting + edge functions. Enterprise BAA. Marketing site (proofopsmedical.com) is non-PHI and runs on the same infrastructure under separate isolation.
Resend — transactional email (daily briefings, vendor chase emails, FaceID approval links). BAA signed on HIPAA-eligible plan.
Twilio — SMS (Concierge messages, urgent alerts, one-tap approvals). BAA signed on HIPAA-eligible plan.
Anthropic — Claude API for knowledge-brain Q&A and reasoning. PHI minimization at the prompt layer; no PHI leaves the application boundary by design.
OpenRouter — tier-fallback LLM for classification + summarization. No formal BAA; PHI minimization + audit log mitigations in place; PHI is never sent to OpenRouter routes.
ClamAV — virus scanning on every upload. Runs inside Supabase Edge Functions; treated as part of Supabase BAA scope.
Sentry — error monitoring. PHI scrubbing rules configured at SDK init. BAA signed on Business plan.
Stripe — subscription payments only. Out of HIPAA scope (PCI scope only); no PHI ever flows to Stripe.

We provide at least 30 days' advance notice of any new sub-processor that processes PHI; customers can object and terminate without penalty if a substitute cannot be agreed. The full Sub-Processor Inventory and per-vendor BAA copies are available to customers and prospects under NDA.

12. Customer responsibilities

Use unique, strong passwords and enable MFA.
Promptly remove departed staff from the account.
Restrict who in the clinic can act on alerts and escalations.
Do not upload information you have no lawful basis to share with us.
Report suspected security issues to support@proofopsmedical.com.

13. How to request a security packet

Customers and prospective customers under NDA can request our security questionnaire responses, BAA template, DPA, and the internal SOC 2-aligned controls matrix. Email support@proofopsmedical.com.

This page describes ProofOps' security practices in plain English. Customer agreements, the BAA, and the DPA contain the binding obligations.

Built to handle medical records the way medical records should be handled.