Security

Built for the rooms that read every line.

Due Health processes protected health information on behalf of medical practices. This page is what we tell our security reviewers — same words, same shape.

For a current security questionnaire, BAA, or audit documentation, contact security@due.health.

Business Associate Agreement

REQUIRED

BAA is executed before any PHI is exchanged. No PHI is processed under a sales NDA or pilot agreement — only under a signed BAA.

Encryption in transit

ALWAYS

TLS 1.3 between every component. PHI never crosses the public internet unencrypted.

Encryption at rest

ALWAYS

AES-256 on every database, object store, and backup. Keys managed by KMS, rotated automatically.

Audit log

PER EVENT

Every agent action and every human action is logged with timestamp, actor, target, and outcome.

Access control

RBAC + SSO

Role-based access scoped per practice and per location. SSO available for Growth and Enterprise.

Data residency

us-east-1

US-only data plane. PHI does not leave the US perimeter. No third-party LLM inference on PHI without explicit, documented opt-in.

Subprocessors

ON REQUEST

Stedi (270/271), AWS (infrastructure), cloud database provider. Current list available on request.

Incident response

24H SLA

24-hour notification SLA for customer-impacting security incidents. Documented runbook.