Security
Built for the rooms that read every line.
Due Health processes protected health information on behalf of medical practices. This page is what we tell our security reviewers — same words, same shape.
For a current security questionnaire, BAA, or audit documentation, contact security@due.health.
Business Associate Agreement
REQUIREDBAA is executed before any PHI is exchanged. No PHI is processed under a sales NDA or pilot agreement — only under a signed BAA.
Encryption in transit
ALWAYSTLS 1.3 between every component. PHI never crosses the public internet unencrypted.
Encryption at rest
ALWAYSAES-256 on every database, object store, and backup. Keys managed by KMS, rotated automatically.
Audit log
PER EVENTEvery agent action and every human action is logged with timestamp, actor, target, and outcome.
Access control
RBAC + SSORole-based access scoped per practice and per location. SSO available for Growth and Enterprise.
Data residency
us-east-1US-only data plane. PHI does not leave the US perimeter. No third-party LLM inference on PHI without explicit, documented opt-in.
Subprocessors
ON REQUESTStedi (270/271), AWS (infrastructure), cloud database provider. Current list available on request.
Incident response
24H SLA24-hour notification SLA for customer-impacting security incidents. Documented runbook.