Security & Compliance

Built for regulated healthcare from day one

Rendum meets the highest standards for healthcare data security. HIPAA compliant. SOC 2 Type II attested. Zero compromises.

HIPAA

45 CFR Control Mapping

Complete mapping of Rendum controls to HIPAA Security Rule requirements under 45 CFR Part 164.

CFR Reference	Control	Status	Details
164.308(a)(1)	Security Management Process	Implemented	Risk analysis, risk management, sanction policy, and information system activity review procedures in place.
164.308(a)(3)	Workforce Security	Implemented	Authorization/supervision, workforce clearance, and termination procedures enforced.
164.308(a)(4)	Information Access Management	Implemented	Role-based access control, access authorization, and access establishment/modification procedures.
164.308(a)(5)	Security Awareness & Training	Implemented	Security reminders, malicious software protection, login monitoring, and password management.
164.308(a)(6)	Security Incident Procedures	Implemented	Incident response and reporting procedures with documented escalation paths.
164.308(a)(7)	Contingency Plan	Implemented	Data backup, disaster recovery, emergency mode operation, testing, and application criticality analysis.
164.310(a)	Facility Access Controls	Implemented	Azure data center physical security with multi-factor access controls.
164.310(b)	Workstation Use	Implemented	Policies governing workstation functions, manner of use, and physical environment.
164.310(d)	Device and Media Controls	Implemented	Disposal, re-use, accountability, and data backup/storage procedures.
164.312(a)	Access Control	Implemented	Unique user identification, emergency access, automatic logoff, and encryption/decryption.
164.312(b)	Audit Controls	Implemented	Hardware, software, and procedural mechanisms to record and examine system activity.
164.312(c)	Integrity	Implemented	Mechanisms to authenticate ePHI and protect against improper alteration or destruction.
164.312(d)	Person/Entity Authentication	Implemented	Procedures to verify identity of persons or entities seeking access to ePHI.
164.312(e)	Transmission Security	Implemented	Integrity controls and encryption for ePHI transmitted over electronic networks.

SOC 2 Type II

Trust Services Criteria

Rendum's SOC 2 Type II report covers Security, Availability, and Confidentiality trust service criteria.

Security

Logical and physical access controls
System boundary definition and monitoring
Change management procedures
Risk mitigation and vulnerability management

Availability

Performance monitoring and capacity planning
Disaster recovery and business continuity
Incident management and escalation
Backup and restoration testing

Confidentiality

Data classification and handling
Encryption at rest and in transit
Confidential data disposal
Non-disclosure agreements and access restrictions

Infrastructure

Azure cloud infrastructure

Rendum is deployed on Microsoft Azure, leveraging FedRAMP-authorized infrastructure purpose-built for healthcare workloads.

Azure Regions

Primary deployment in Azure US East with automatic failover to US West. All data stays within US borders.

Azure SQL Database

Managed database with automatic backups, point-in-time restore, and transparent data encryption (TDE).

Azure Key Vault

All encryption keys, secrets, and certificates managed through FIPS 140-2 Level 2 validated HSMs.

Azure App Service

Application layer runs on isolated App Service Environments with VNet integration and private endpoints.

Azure Monitor

Real-time monitoring, alerting, and log analytics. All access events and data operations logged for audit.

Azure DDoS Protection

Standard-tier DDoS protection with automatic traffic scrubbing and real-time attack mitigation.

Encryption Details

At Rest

AES-256 encryption for all data at rest. Database-level Transparent Data Encryption (TDE). File storage encrypted via Azure Storage Service Encryption (SSE).

In Transit

TLS 1.2+ enforced for all API connections. SFTP connections use SSH key authentication with a minimum key length of 2048 bits. No plaintext protocols supported.

Key Management

Encryption keys managed through Azure Key Vault with automatic rotation. Customer-managed keys (BYOK) available on Enterprise plans.

Incident Response

Detection

Azure Sentinel SIEM with custom detection rules for healthcare-specific threats. 24/7 automated monitoring with human-in-the-loop escalation.

Response SLA

Critical incidents: 15-minute acknowledgment, 1-hour initial response. Security incidents involving PHI: immediate notification to affected customers within 24 hours per BAA requirements.

Post-Incident

Root cause analysis published within 5 business days. Remediation plan with timeline. Annual penetration testing by independent third party.

Learn More

Request our full security documentation

Enterprise customers can request our complete SOC 2 Type II report, penetration test results, and detailed security questionnaire responses.

Request Security Package View HIPAA BAA