Security & Compliance

Securityisnotafeature.It'sthefoundation.

Every byte encrypted, every access logged, every regulation met. Built for compliance officers who accept nothing less.

NexV encrypts all patient data with AES-256 at rest and TLS 1.3 in transit, using AWS KMS-managed keys. All AI processing occurs within the practice's own AWS environment with no third-party data processors. Full audit trails via CloudTrail log every access and modification.

Certifications

The standards your board expects.

HIPAA

BAA Available

Full HIPAA compliance with signed Business Associate Agreements for every customer. All protected health information handled under strict regulatory controls.

Download BAA

SOC 2 Type II

Certified

Annual third-party audit of security controls, availability, and confidentiality. Unqualified opinion maintained year over year.

Australian Privacy Principles

Compliant

Full compliance with the Australian Privacy Act 1988 and all 13 APPs. Cross-border data handling meets OAIC guidelines.

End-to-End Encryption

AES-256 / TLS 1.3

AES-256 encryption at rest, TLS 1.3 in transit. Zero plain-text storage of PHI at any layer of the stack.

Data Residency

US & AU Available

Choose US or Australian data centres. Patient data never leaves your selected region under any circumstance.

Penetration Testing

Annually Tested

Annual third-party penetration testing by independent security firms. Remediation verified within 30 days of findings.

Architecture

How your data is protected.

Your Practice
TLS 1.3
AWS Infrastructure
AppSync API
DynamoDB (AES-256)
S3 Documents (SSE)
CloudTrail Audit
Envelope Encryption
AWS KMS

Access Controls

Enterprise-grade access at every layer.

Fine-grained permissions, immutable audit trails, and enforced authentication policies. Every action attributable to a named user.

Role-Based Access

Granular permissions matrix with 6 roles across 19 operations. Every user sees only what their role requires.

Audit Logging

Every PHI access logged with timestamp, user, action, and IP. Immutable audit trail retained for 7 years.

Session Management

Configurable session timeouts with forced re-authentication. Idle sessions terminated automatically per your policy.

Multi-Factor Authentication

TOTP and SMS-based MFA for all staff accounts. Hardware key support available for enterprise deployments.

Deep Dive

Compliance, in detail.

HIPAA BAA

Signed Business Associate Agreement included with every subscription. Covers all PHI processed, stored, and transmitted through the platform. Breach notification within 60 days of discovery.

View BAA

SOC 2 Audit Process

Continuous monitoring with annual Type II audit by an independent CPA firm. Controls tested over a 12-month observation window covering security, availability, and confidentiality trust principles.

APP Compliance Scope

All 13 Australian Privacy Principles addressed, including cross-border disclosure (APP 8) and data quality (APP 10). Privacy Impact Assessments conducted for every feature release.

Data Residency Options

US deployments on AWS us-east-1 and us-west-2. Australian deployments on AWS ap-southeast-2. Region-locked by default with no cross-region replication unless explicitly configured.

Encryption Specifications

AES-256-GCM for data at rest via AWS KMS with automatic key rotation. TLS 1.3 enforced for all data in transit. Database field-level encryption for sensitive identifiers.

Incident Response SLA

Critical incidents acknowledged within 15 minutes, containment within 1 hour. Full root cause analysis delivered within 72 hours. Dedicated security contact for enterprise customers.

Need our security documentation?

We will send you our SOC 2 report, HIPAA compliance guide, and data processing agreement. Response within one business day.