Compliance & HIPAA
Beakr maintains SOC 2 Type II compliance and supports HIPAA-aligned deployments for customers handling protected health information.
SOC 2 Type II
Beakr maintains SOC 2 Type II compliance through an independent compliance program. Our SOC 2 report covers CC6 (access), CC7 (operations), CC8 (change management), A1 (availability), C1 (confidentiality), and PI1 (processing integrity). The report is available upon request under NDA -- contact support@thebeakr.com.
HIPAA
Beakr supports HIPAA-compliant deployments for customers handling protected health information (PHI). Our HIPAA compliance program is independently audited. We execute Business Associate Agreements (BAAs) with customers who require them.
All HIPAA Security Rule requirements (45 CFR Part 164) are addressed across three safeguard categories:
| Safeguard | What it covers | Status |
|---|---|---|
| Technical | Unique user IDs, AES-256 encryption at rest, TLS 1.2+ in transit, JWT auth with MFA, session expiry, dual-layer audit logging (CloudWatch + database), input validation, HMAC-SHA256 webhook verification. | Implemented |
| Administrative | Formal risk analysis (annual), designated Security Officer, RBAC with RLS enforcement, security awareness training, GuardDuty threat detection, incident response procedures, automated backups with point-in-time recovery, BAAs with all subprocessors. | Implemented |
| Physical | Delegated to AWS (SOC 2, ISO 27001, FedRAMP). All infrastructure changes managed via Terraform IaC with Git-based review. Hard deletes for all user data. | Implemented |
AI model providers & PHI
All AI model providers used by Beakr enforce zero data retention and prohibit training on customer data:
| Provider | Access method | BAA | Data retention |
|---|---|---|---|
| AWS Bedrock (Claude) | Within Beakr VPC | AWS BAA | None |
| Google (Gemini) | Vertex AI | Google Cloud BAA | None |
| OpenAI | Direct API, Zero Retention | Enterprise | None |
Breach notification
Beakr maintains breach detection via GuardDuty, CloudTrail anomaly detection, and CloudWatch security alarms. Customers with active BAAs are notified without unreasonable delay per contractual timelines. All incidents are documented and retained per HIPAA requirements.
For the requirement-by-requirement HIPAA mapping, SOC 2 report, or security questionnaire responses, visit our Trust Center or contact support@thebeakr.com.