Security & Privacy

Built with patient data protection at every layer.

Specialty pharmacy operations require handling protected health information with precision. Medsync is designed with HIPAA controls from the ground up — not as an afterthought.

Review Our Documentation

HIPAA Controls

Designed with HIPAA controls

We are not claiming HIPAA certification — we are designed with HIPAA controls as a first-class engineering requirement. HIPAA Business Associate Agreements (BAA) are available on Growth and Enterprise plans.

Encryption in Transit

All data transmitted between Medsync and payer networks, pharmacy systems, and end-users uses TLS 1.2+ encryption. No unencrypted PHI transmission.

Encryption at Rest

PHI stored in Medsync databases uses AES-256 encryption. Encryption keys are managed separately from encrypted data, following least-privilege access principles.

BAA Available

A HIPAA Business Associate Agreement is included with Growth and Enterprise plans, and available on request for Starter customers with compliance requirements.

Access Controls

Role-based access controls limit PHI visibility to authorized pharmacy staff. Each user account has logged access with timestamps. Admin controls available to pharmacy managers.

Data Practices

What we do with patient data

Data Minimization

We collect only the PHI necessary to process PA and BV requests. We do not retain PHI longer than required for active processing and the configured retention period.

Retention Policies

PA and BV records are retained for 7 years in compliance with HIPAA requirements, then deleted. Active records are purged 90 days after prescription closure unless extended retention is configured.

Audit Logging

All access to PHI is logged with user ID, timestamp, and action. Audit logs are immutable and available to pharmacy administrators for compliance review.

No Data Selling

We do not sell, share for advertising purposes, or aggregate patient data across customers. PHI processed in your Medsync instance stays in your Medsync instance.

Infrastructure

Infrastructure designed for PHI workloads

AWS-Hosted

Medsync runs on Amazon Web Services infrastructure in US-based regions. All PHI processing and storage uses AWS HIPAA-eligible services, with data residency confined to US regions.

SOC 2 Controls Design

Our security program is designed with SOC 2 Type II controls in mind. We are not currently SOC 2 certified — we are building toward that milestone as we grow.

Uptime & Redundancy

Medsync is deployed with multi-AZ redundancy for production workloads. We maintain an operational status page and notify customers of any service impacts. Enterprise customers receive SLA-backed uptime commitments.

Security questions? Talk to our team.

We're happy to review our security documentation, discuss BAA terms, or answer questions from your compliance team before you commit.

Contact Our Team