Security and privacy controls built for clinical-grade data.
Abstractive Health's Security and Privacy team establishes policies and controls, monitors compliance with those controls, and works with independent auditors to maintain HIPAA and SOC 2 Type II compliance.
If you'd like to review our SOC 2 report, contact us.
Our policy principles
We apply a least-privilege philosophy, defense-in-depth controls, and continuous monitoring to protect PHI and customer data.
01
Abstractive Health is committed to protecting the security, confidentiality, integrity, availability, and privacy of its information resources.
02
Requests for data access are granted only to individuals who meet a least-privilege, minimal-access standard.
03
We implement strong, layered security controls according to the principle of defense in depth.
04
Controls are applied consistently across systems, monitored continuously, and improved iteratively to increase effectiveness and auditability.
Ensuring diligent data protection.
Encryption at rest
Customer data is encrypted at rest using industry-standard encryption and key controls.
Encryption in transit
Data in transit is encrypted using TLS (including TLS 1.3 where supported).
Least-privilege access
Access is restricted by role and need-to-know, aligned to minimal access principles.
Auditability
Logging and monitoring help ensure access, changes, and security events are observable and reviewable.
Taking product security seriously.
Hosting on AWS's HIPAA compliant cloud for top-tier security and reliability.
Using Vanta to continuously monitor and scan for vulnerabilities in real-time.
Conducting penetration testing at least once a year through third parties.
Security is operational, not aspirational.
Comprehensive security training
The Abstractive Health team undergoes security and HIPAA training upon onboarding and annually thereafter.
Safety through interoperability
As a Carequality implementer, we share best practices to strengthen security in healthcare technology at scale.
Have security questions?
We can support security reviews, vendor questionnaires, and share our SOC 2 report upon request.
Security FAQ
Are you HIPAA compliant?
Yes. Abstractive Health is built for healthcare data and operates under HIPAA-aligned administrative, technical, and physical safeguards. We support BAAs for covered entities and organizations.
Do you have a SOC 2 Type II report?
Yes. Abstractive Health maintains a SOC 2 Type II attestation. We can share the report upon request as part of a standard security review.
How is customer data encrypted?
We encrypt customer data at rest and in transit using industry-standard encryption. Transport security uses TLS (where supported, TLS 1.3), and we apply layered controls to protect PHI across the full data lifecycle.
Who can access patient data at Abstractive Health?
Access is restricted by a least-privilege approach. Internal access is limited to authorized personnel with a legitimate need, and access is logged and monitored.
Do you perform penetration testing?
Yes. We conduct third-party penetration testing at least annually, and we remediate findings through a tracked process.
Do you support security questionnaires and vendor risk reviews?
Yes. Our Security and Privacy team can support security reviews, questionnaires, and documentation requests as part of procurement and onboarding.
Stay ahead of the curve in healthcare innovation.
Connect
Abstractive Health
Resources
©2026 Abstractive Health. All Rights Reserved.
