HIPAA-aware by design
BAA-ready, role-based access, encrypted storage, and detailed audit trails on every record.
Security
HIPAA-aware. SOC 2 Type II. Built for the audit.
Every record on 31M is encrypted, isolated, role-gated, and audit-logged. Here’s how.
SOC 2 Type II
Independent annual audit covering security, availability, and confidentiality controls.
Encryption everywhere
TLS 1.2+ in transit and AES-256 at rest. Customer data is logically isolated per organization.
Least-privilege access
Granular permission sets, time-bound elevated access, and full change history.
The program
What our security posture looks like in practice.
Independent audits
Annual SOC 2 Type II covering security, availability, and confidentiality controls.
BAA on every contract
Business Associate Agreement signed with every customer that handles PHI.
Encryption at every layer
TLS 1.2+ in transit, AES-256 at rest. Customer data is logically isolated per organization.
Vulnerability management
Continuous dependency scanning, quarterly penetration tests, and a coordinated disclosure policy.
Access controls
Granular role-based access, time-bound elevated access, and detailed administrator change history.
Audit trails
Every read, write, and export is logged with actor, target, and timestamp — and is exportable.
Documentation
Need the paperwork?
Customers and prospects under NDA can request our latest SOC 2 report, security questionnaire responses, and BAA template.
For SOC 2 reports, penetration-test summaries, or security questionnaires, please get in touch and we’ll route you to our security team.
Have security questions?
We answer security questionnaires within five business days.