Security & Compliance

Built to Pass a Hospital CIO's Security Review

Vizier processes Protected Health Information. We take that seriously. Every customer receives a signed Business Associate Agreement, dedicated encrypted storage, full audit trails, and the documentation your information security team will ask for.

HIPAA CompliantBAA AvailableAES-256 EncryptionTLS 1.3 in TransitSOC 2 Type II AlignedRole-Based AccessMFA EnforcedFull Audit Trails

HIPAA Compliance

PHI Handling, Minimum Necessary, and Your BAA

Vizier is a Business Associate as defined under 45 CFR §160.103. When you upload data containing Protected Health Information — patient names, dates of birth, MRN numbers, diagnoses, encounter records — Vizier processes that data as a Business Associate and is bound by the same HIPAA Privacy and Security Rule obligations as your organization.

A signed Business Associate Agreement (BAA) is provided to every Vizier customer before data is uploaded. The BAA aligns with HHS model contract language and specifies permitted uses of PHI, breach notification timelines (within 60 days of discovery per 45 CFR §164.410), and subcontractor obligations.

Vizier applies the HIPAA Minimum Necessary Standard (45 CFR §164.502(b)) to all internal data access. Vizier employees access PHI only when required to resolve a documented support ticket, and all such access is logged in the audit trail visible to your security administrator.

45 CFR §160.103

Business Associate Definition

Vizier qualifies as a BA and executes a compliant BAA before any PHI is processed.

45 CFR §164.502(b)

Minimum Necessary Standard

Internal access to PHI is restricted to documented support cases. All access is logged.

45 CFR §164.410

Breach Notification to BA

Vizier notifies covered entities of any discovered breach within 60 days, consistent with HIPAA timelines.

45 CFR §164.312

Technical Safeguards

Unique user ID, automatic logoff, encryption/decryption, and audit controls implemented across all systems.

45 CFR §164.308

Administrative Safeguards

Security officer designation, workforce training, contingency planning, and evaluation procedures maintained.

Encryption

AES-256 at Rest. TLS 1.3 in Transit. No Exceptions.

Data at Rest

AlgorithmAES-256-GCM
Key managementAWS KMS with per-customer CMK
Key rotationAutomatic, every 365 days
StorageAWS S3 with server-side encryption
DatabaseRDS encrypted at rest via AES-256
BackupsEncrypted with the same CMK

Data in Transit

ProtocolTLS 1.3 (TLS 1.2 minimum)
Certificate2048-bit RSA, auto-renewed
HSTSmax-age=31536000; includeSubDomains
File uploadEncrypted multipart over TLS 1.3
API callsHTTPS only, TLS 1.3 enforced
DowngradeTLS 1.0 / 1.1 disabled, SSLv3 blocked

Data Isolation

Your Data Never Touches Another Customer's Environment

Vizier uses a hard-isolated multi-tenancy architecture. Every customer organization is assigned a dedicated S3 bucket, a dedicated encryption key via AWS KMS, and a logically isolated database schema. No customer data resides in shared storage with any other customer.

Tenant isolation is enforced at the application layer (every API request validates the calling organization's identity before touching data) and at the infrastructure layer (IAM policies restrict S3 access to the owning tenant's CMK). A software bug in the application layer cannot expose one tenant's data to another because infrastructure-layer controls would independently block access.

Vizier does not use customer PHI to train AI models, improve the product for other customers, or for any purpose not specified in the BAA and Terms of Service.

Isolation Architecture

NetworkVPC per environment, private subnets for data stores, no public S3 access
StorageDedicated S3 bucket per organization, bucket policy allows only that org's IAM role
EncryptionPer-customer KMS Customer Managed Key — other tenants cannot decrypt your data
DatabaseRow-level tenant ID on all tables, enforced by application ORM and DB constraints
ApplicationJWT claims carry organization ID; all queries scoped to authenticated tenant
AuditAll data access events logged with tenant ID, user ID, timestamp, and action

Audit Trails

Every Data Access Event Is Logged and Exportable

HIPAA's Security Rule (45 CFR §164.312(b)) requires audit controls that record and examine activity in systems containing ePHI. Vizier's audit log captures every event that touches your data and makes it available to your security administrator in real time.

Authentication Events

User login (success and failure)

MFA challenge and result

Password reset initiated

Session created and terminated

API key created or revoked

Data Access Events

File uploaded (user, timestamp, file size)

Query executed (user, query text, rows returned)

Export or download initiated

Alert created, modified, or deleted

Schema mapping confirmed or changed

Admin Events

User invited or deactivated

Role assigned or changed

Organization settings modified

Data deletion request initiated

BAA acknowledged by admin

Audit log retention: 7 years

Consistent with HIPAA's 6-year record retention requirement plus one year buffer. Exportable as CSV or JSON on demand.

Immutable logs — cannot be modified or deleted by any user

Access Controls

Role-Based Access and Mandatory MFA

Vizier enforces role-based access control (RBAC) aligned with HIPAA's workforce access management requirements (45 CFR §164.308(a)(3)). Organizations assign roles to users; roles define which data sets can be uploaded, queried, or exported.

Multi-factor authentication is mandatory for all users. Authenticator app (TOTP) and hardware security key (WebAuthn/FIDO2) are both supported. SMS-based MFA is not offered due to SIM-swap attack risk. SSO via SAML 2.0 is available for enterprise customers with existing identity providers (Okta, Azure AD, Google Workspace).

Organization Admin

Manage users, view all audit logs, configure org settings, acknowledge BAA

Data Manager

Upload files, manage schema mappings, configure threshold alerts

Analyst

Run queries, view charts and results, create personal alerts

Viewer

View saved reports and dashboards shared by Analysts — cannot query raw data

SOC 2 Type II Alignment

Designed Against the AICPA Trust Services Criteria

Vizier's security controls are designed against the five AICPA Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A formal SOC 2 Type II audit is underway. The report will be available to enterprise customers under NDA upon completion.

CC6 — Logical & Physical Access

Implemented

MFA, RBAC, session management, least-privilege IAM

CC7 — System Operations

Implemented

Monitoring, alerting, incident response playbooks

CC8 — Change Management

Implemented

Code review required, automated testing, deploy approval gates

CC9 — Risk Mitigation

Implemented

Vendor risk assessments, pen testing annual cadence

A1 — Availability

Implemented

99.9% SLA, multi-AZ deployment, automated failover

C1 — Confidentiality

Implemented

Encryption at rest and in transit, data minimization

For Your Security Team

Download the Vizier Security Whitepaper

The 24-page security whitepaper covers our full architecture, controls mapping to HIPAA Security Rule and NIST CSF, penetration test scope and cadence, incident response procedures, and subprocessor list.

Designed to be handed directly to a hospital information security officer or IT security team during vendor evaluation. Includes a pre-completed HIPAA security questionnaire.

Security Whitepaper

Sent to your work email immediately. No sales call required.

We will not add you to a marketing list or pass your details to sales.

Security questions before you proceed?

Our security team will respond to information security questionnaires within two business days.

Contact Security TeamAsk Your Vizier →