Security & Compliance

Learn about Synexar's security measures, HIPAA compliance, and data protection practices.

Last updated: January 15, 2025

Security Overview

Synexar is built with security as a foundational principle. We implement multiple layers of protection to ensure your patient data remains confidential, intact, and available.

HIPAA Compliance

Synexar is fully HIPAA compliant with:

  • Business Associate Agreement (BAA) provided to all customers
  • End-to-end encryption for all PHI
  • Comprehensive audit trails of all system access
  • Regular security audits by independent third parties
  • Staff training on HIPAA requirements

Data Encryption

At Rest

  • AES-256 encryption for all stored data
  • Encrypted backups with secure key management
  • Database encryption using industry standards

In Transit

  • TLS 1.3 for all data transmission
  • Perfect forward secrecy enabled
  • Certificate pinning for mobile apps

Access Controls

Authentication

  • Multi-factor authentication (MFA) required
  • SSO support via SAML 2.0
  • Password policies enforcing complexity
  • Session management with automatic timeouts

Authorization

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Granular permissions per user/role
  • Audit logging of all access

Infrastructure Security

Cloud Security

  • SOC 2 Type II certified infrastructure
  • ISO 27001 compliant data centers
  • Geographic redundancy for high availability
  • DDoS protection and web application firewall

Application Security

  • Penetration testing performed quarterly
  • Vulnerability scanning automated daily
  • Code review before every deployment
  • Dependency monitoring for security patches

Data Protection

Data Residency

  • US-based data centers by default
  • Regional options available
  • Data sovereignty compliance

Backup & Recovery

  • Automated backups every 6 hours
  • 30-day retention policy
  • Point-in-time recovery capability
  • Disaster recovery tested quarterly

Data Deletion

  • Secure deletion upon request
  • 30-day retention before permanent deletion
  • Verification of complete removal
  • Certificate of destruction provided

Compliance Certifications

  • HIPAA - Health Insurance Portability and Accountability Act
  • SOC 2 Type II - Security, availability, and confidentiality
  • ISO 27001 - Information security management
  • GDPR - General Data Protection Regulation (for EU data)

Incident Response

Monitoring

  • 24/7 security monitoring by our team
  • Automated threat detection using AI
  • Real-time alerts for suspicious activity
  • Regular security reviews

Response Plan

  1. Detection - Automated and manual monitoring
  2. Assessment - Severity and impact evaluation
  3. Containment - Immediate action to limit exposure
  4. Investigation - Root cause analysis
  5. Remediation - Fix the vulnerability
  6. Notification - Inform affected parties per HIPAA

Breach Notification

  • 60-day notification as required by HIPAA
  • Affected party notification via secure channels
  • Regulatory reporting to HHS if required
  • Mitigation services provided at no cost

Privacy Practices

Data Collection

We only collect data necessary for:

  • Providing the Synexar service
  • Billing and account management
  • Security and fraud prevention
  • Improving our platform (with consent)

Data Usage

  • Your patient data is NEVER used to train general AI models
  • Optional improvement program with explicit opt-in
  • Complete de-identification for any research use
  • Aggregated analytics only without PHI

Third Parties

  • No selling of data - ever
  • Limited sharing only with your consent or as required by law
  • BAAs with all subprocessors
  • Regular audits of third-party security

User Responsibilities

Best Practices

  • ✅ Enable multi-factor authentication
  • ✅ Use strong, unique passwords
  • ✅ Keep software and devices updated
  • ✅ Report suspicious activity immediately
  • ✅ Log out when leaving workstation
  • ✅ Train staff on security policies

Prohibited Actions

  • ❌ Sharing login credentials
  • ❌ Accessing PHI without authorization
  • ❌ Downloading PHI to unsecured devices
  • ❌ Using public Wi-Fi without VPN
  • ❌ Taking screenshots of PHI
  • ❌ Emailing PHI unencrypted

Security Questions?

For security-related inquiries:

  • Email: [email protected]
  • Phone: (555) 123-4567
  • Emergency: Call 24/7 hotline for critical issues

Report a Vulnerability

Found a security issue? We appreciate responsible disclosure:

  1. Email: [email protected]
  2. Use encryption: PGP key available on request
  3. Include details: Steps to reproduce, impact assessment
  4. Expect response: Within 24 hours

We offer a bug bounty program for qualifying vulnerabilities.

Your trust is our top priority. We’re committed to maintaining the highest security standards.