Security & Compliance
Atticus Health implements layered security across every level of the platform — from edge protection and encrypted communication to per-organization data isolation and passwordless patient login.
Compliance Status
| Standard | Status | Details |
|---|---|---|
| HIPAA | Compliant | BAA in place with all infrastructure providers. PHI encrypted at rest and in transit. 24-hour breach notification (exceeds HIPAA's 60-day requirement). |
| SOC 2 Type II | In Progress | All controls implemented and continuously monitored through Delve. On track for certification by end of 2026. |
| HITRUST | Roadmap | Planned for future certification cycle. |
Security Layers
Passwordless patient login, mandatory two-factor for staff, enterprise SSO, role-based access, and per-organization sessions.
AES-256 encryption at rest and in transit, point-in-time recovery, retention policies, and breach response procedures.
Full PHI lifecycle governance — minimum necessary enforcement, de-identification, patient rights, BAA coverage, and shared responsibility.
No public IPs, encrypted tunnels, hardened containers, and centralized secrets management.
Automated dependency scanning, service-specific builds, deployment gates, and SBOM generation.
Per-domain databases with per-tenant data isolation, enforced at request, application, and database layers.
Legal & Governance
For details on how Atticus Health collects and protects personal information, see the Privacy Policy. For the terms governing use of the platform and applications, see the Terms of Service.
Protected Health Information is governed by the Business Associate Agreement in place for each customer organization, not the public privacy policy. See PHI Management for BAA coverage details.