Built for regulated healthcare from day one
Rendum meets the standard for handling Protected Health Information across Medicare Advantage, Managed Medicaid, and capitated provider arrangements. Health Insurance Portability and Accountability Act compliant. Service Organization Control 2 Type II audit in progress. Federal Risk and Authorization Management Program authorized Microsoft Azure infrastructure. Zero compromises.
45 CFR Control Mapping
Complete mapping of Rendum controls to HIPAA Security Rule requirements under 45 CFR Part 164.
| CFR Reference | Control | Status |
|---|---|---|
| 164.308(a)(1) | Security Management Process | Implemented |
| 164.308(a)(3) | Workforce Security | Implemented |
| 164.308(a)(4) | Information Access Management | Implemented |
| 164.308(a)(5) | Security Awareness & Training | Implemented |
| 164.308(a)(6) | Security Incident Procedures | Implemented |
| 164.308(a)(7) | Contingency Plan | Implemented |
| 164.310(a) | Facility Access Controls | Implemented |
| 164.310(b) | Workstation Use | Implemented |
| 164.310(d) | Device and Media Controls | Implemented |
| 164.312(a) | Access Control | Implemented |
| 164.312(b) | Audit Controls | Implemented |
| 164.312(c) | Integrity | Implemented |
| 164.312(d) | Person/Entity Authentication | Implemented |
| 164.312(e) | Transmission Security | Implemented |
Trust Services Criteria
Rendum's controls are implemented in preparation for a SOC 2 Type II audit across the Security, Availability, and Confidentiality trust service criteria.
Security
- Logical and physical access controls
- System boundary definition and monitoring
- Change management procedures
- Risk mitigation and vulnerability management
Availability
- Performance monitoring and capacity planning
- Disaster recovery and business continuity
- Incident management and escalation
- Backup and restoration testing
Confidentiality
- Data classification and handling
- Encryption at rest and in transit
- Confidential data disposal
- Non-disclosure agreements and access restrictions
Regulatory regimes Rendum's controls are designed against
Rendum's security and audit posture meets the standard for Medicare Advantage, Managed Medicaid, False Claims Act exposure, and Health Insurance Portability and Accountability Act requirements.
Medicare Advantage
Centers for Medicare and Medicaid Services oversight under 42 Code of Federal Regulations Part 422, including encounter data accuracy, supplemental benefit reporting, and audit response timelines.
Managed Medicaid
Centers for Medicare and Medicaid Services oversight under 42 Code of Federal Regulations Part 438, plus state Medicaid managed care contract requirements and state Medicaid Fraud Control Unit standards.
False Claims Act
31 United States Code Sections 3729 through 3733. Clause-to-decision traceability produces the documentary evidence required to defend against False Claims Act allegations and qui tam actions.
Health Insurance Portability and Accountability Act
45 Code of Federal Regulations Parts 160 and 164. Administrative, physical, and technical safeguards implemented across all Protected Health Information handling.
Azure cloud infrastructure
Rendum is deployed on Microsoft Azure, leveraging FedRAMP-authorized infrastructure purpose-built for healthcare workloads.
Azure Regions
Primary deployment in Azure US East with automatic failover to US West. All data stays within US borders.
Azure SQL Database
Managed database with automatic backups, point-in-time restore, and transparent data encryption (TDE).
Azure Key Vault
All encryption keys, secrets, and certificates managed through FIPS 140-2 Level 2 validated HSMs.
Azure App Service
Application layer runs on isolated App Service Environments with VNet integration and private endpoints.
Azure Monitor
Real-time monitoring, alerting, and log analytics. All access events and data operations logged for audit.
Azure DDoS Protection
Standard-tier DDoS protection with automatic traffic scrubbing and real-time attack mitigation.
Encryption Details
AES-256 encryption for all data at rest. Database-level Transparent Data Encryption (TDE). File storage encrypted via Azure Storage Service Encryption (SSE).
TLS 1.2+ enforced for all API connections. SFTP connections use SSH key authentication with a minimum key length of 2048 bits. No plaintext protocols supported.
Encryption keys managed through Azure Key Vault with automatic rotation. Customer-managed keys (BYOK) available on Enterprise plans.
Incident Response
Azure Sentinel SIEM with custom detection rules for healthcare-specific threats. 24/7 automated monitoring with human-in-the-loop escalation.
Critical incidents: 15-minute acknowledgment, 1-hour initial response. Security incidents involving PHI: immediate notification to affected customers within 24 hours per BAA requirements.
Root cause analysis published within 5 business days. Remediation plan with timeline. Annual penetration testing by independent third party.
Request our full security documentation
Enterprise customers and qualified prospects can request our security controls documentation, self-assessment, penetration test results, and detailed security questionnaire responses under NDA.