Security & Trust

We build MedFlow RCMto handle healthcare data responsibly. This page describes our current security controls and an honest view of our compliance roadmap. We believe transparency about what is in place today — and what is still in progress — is the right way to earn a partner’s trust.

Controls in place today

AreaControl
Tenant isolationRow-Level Security policies scope PHI-bearing tables by practice and role, enforced at the database layer.
Access controlRole-based access for admin, practice, and patient roles; authenticated API routes scoped to the caller’s practice.
Audit loggingAppend-only audit log across PHI-access routes, with cryptographic hash-chain integrity, an active 6-year retention purge, and an administrative review surface.
Automatic logoffAuthenticated sessions terminate after 30 minutes of inactivity (HIPAA §164.312(a)(2)(iii)).
Encryption in transitAll traffic served over TLS with HSTS and a strict Content-Security-Policy; data exchanged with subprocessors over encrypted channels.
Managed infrastructureHosted on managed cloud platforms that provide encryption at rest at the storage layer and physical security.

Compliance posture

ProgramStatus
HIPAAIn progress. Technical safeguards are partially implemented; a formal risk assessment, complete subprocessor BAAs, and documented administrative safeguards are in active development. We sign Business Associate Agreements with customers.
SOC 2Planned, not yet started. We have not undergone a SOC 2 examination. We can provide our InfoSec policy and complete a security questionnaire in the interim.
Terms & PrivacyTerms of Service · Privacy Policy

On our roadmap

Reporting a vulnerability

If you believe you have found a security issue, please contact security@dionhealth.com. We appreciate responsible disclosure and will respond promptly.

← Back to home