Enterprise Security.
Independently Verified.
Altriva is built on the principle that protecting patient data is not a feature — it is a foundational responsibility. Every architectural decision is made with HIPAA compliance, data isolation, and auditability as non-negotiable requirements.
Compliance Certifications
Our compliance posture is independently audited and continuously maintained — not self-certified.
HIPAA Compliant
Full HIPAA compliance across all administrative, physical, and technical safeguards. Business Associate Agreements (BAA) signed with all sub-processors including Google Cloud Platform.
SOC 2 Type II
Annual SOC 2 Type II audits conducted by an independent CPA firm, verifying our security, availability, processing integrity, confidentiality, and privacy controls.
HITRUST CSF
HITRUST CSF certification in progress, assessing implementation of information security controls across HIPAA, NIST, and ISO frameworks.
Technical Security Architecture
Security is implemented at every layer of the stack. The following details are provided for technical reviewers, enterprise buyers, and compliance teams evaluating Altriva for deployment.
Google Cloud Platform Infrastructure
All Altriva services run on Google Cloud Platform (GCP) in HIPAA-eligible regions. We leverage Cloud Run for containerized workloads, Cloud SQL (PostgreSQL) for relational data, and Vertex AI for model inference.
GCP: Cloud Run · Cloud SQL · Vertex AI · Secret Manager · Cloud LoggingEncryption at Rest and In Transit
All protected health information (PHI) is encrypted using AES-256 at rest. All data in transit is protected by TLS 1.3. Encryption keys are managed via Google Cloud KMS with automatic rotation.
AES-256 at rest · TLS 1.3 in transit · Cloud KMS key rotationMulti-Tenant Data Isolation
Every practice's data is logically isolated using Row-Level Security (RLS) in PostgreSQL. No practice can access another practice's data. Tenant identifiers are enforced at the database layer, not the application layer.
PostgreSQL RLS · Tenant-scoped queries · No cross-tenant accessAccess Control & Authentication
Role-based access control (RBAC) with least-privilege principles. All API access requires JWT tokens with short expiration windows. MFA is enforced for all administrative accounts.
RBAC · JWT (short TTL) · MFA enforced · OAuth 2.0Audit Logging & Retention
Every access to PHI is logged with user identity, timestamp, IP address, and action type. Audit logs are immutable and retained for 6 years in compliance with HIPAA requirements.
Cloud Logging · Immutable audit trail · 6-year retentionBusiness Continuity & Disaster Recovery
Automated daily backups with point-in-time recovery (PITR). Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour. Multi-region failover for critical services.
Daily backups · PITR · RTO 4h · RPO 1h · Multi-regionHow We Handle Your Patient Data
Altriva's data handling principles are designed to exceed HIPAA minimum requirements. We apply a data minimization philosophy — collecting only what is necessary, retaining it only as long as required, and deleting it completely upon request.
- PHI is never used to train AI models without explicit written consent
- Audio recordings are processed in memory and never stored to disk
- Clinical notes are stored only in the practice's designated data region
- Data deletion requests are honored within 30 days with cryptographic verification
- No PHI is shared with third-party advertisers or analytics platforms
- Sub-processor list is publicly available and updated with each change
Business Associate Agreement
Altriva executes a fully compliant HIPAA Business Associate Agreement (BAA) with every practice prior to accessing any PHI. Our BAA covers all sub-processors, including Google Cloud Platform, and is available for legal review before contract execution.
BAA Covers:
- Google Cloud Platform (HIPAA BAA signed)
- All AI model inference services
- Backup and disaster recovery systems
- Audit logging and monitoring services
Responsible Disclosure
If you believe you have discovered a security vulnerability in Altriva's systems, please report it responsibly to [email protected]. We are particularly interested in vulnerabilities that may impact the confidentiality or integrity of protected health information. We commit to acknowledging all reports within 24 hours and resolving critical issues within 72 hours.