Start free trial
Security & compliance · engineered, not retrofitted

Built for the most regulated healthcare data.

Behavioral health data is the most sensitive category in healthcare. Navix is engineered for HIPAA, 42 CFR Part 2, SOC 2, ONC Health IT (Drummond), and TCPA from the foundation up — not retrofitted.

Request security docs See the controls
AES-256At-rest encryption with AWS KMS-managed key rotation
TLS 1.3In-transit encryption across every PHI surface
24 / 7PagerDuty-escalated monitoring with documented IR plan
  1. 01 / 0545 CFR §164 · Privacy + Security Rules

    HIPAA Compliant

    Full HIPAA Privacy + Security Rule compliance. BAA included with every paid plan.

    Audited · 2026
  2. 02 / 05AICPA Trust Services · Type II

    SOC 2 Type II Certified

    Type II audited. Security, availability, confidentiality, and processing integrity controls.

    Type II · current
  3. 03 / 05ONC Health IT · Drummond ACB

    Drummond Certified

    ONC Health IT certified through Drummond Group, an ONC-Authorized Certification Body. Validates interoperability, security, and clinical-functionality standards.

    Certified · current
  4. 04 / 0542 CFR · Part 2 · SUD records

    42 CFR Part 2 Ready

    Substance use disorder records protected with the heightened consent + re-disclosure controls Part 2 requires.

    Engineered · in production
  5. 05 / 0547 USC §227 · TCPA Consent

    TCPA Compliant SMS

    Full opt-in flow with mobile verification. STOP / HELP keyword support. No PHI over SMS.

    Verified flow · live
Security controls · eight layers

Eight layers of defense.

Encryption, identity, audit, infrastructure, response, continuity, workforce, and supply chain. Each layer documented. Each layer audited. Each layer in production today.

  • 01

    Encryption

    All data encrypted in transit (TLS 1.3) and at rest (AES-256). Keys managed via AWS KMS with regular rotation.

    • TLS 1.3
    • AES-256
    • AWS KMS
  • 02

    Access controls

    Role-based access controls. SSO via SAML 2.0 / OIDC for enterprise. Mandatory two-factor authentication. Session timeouts and IP allowlisting available.

    • RBAC
    • SAML / OIDC
    • 2FA enforced
  • 03

    Audit logging

    Append-only logs of every PHI access — who viewed which record, when, from what IP, and what actions they took. Retained per HIPAA Security Rule requirements.

    • Append-only
    • Per-record
    • HIPAA retention
  • 04

    Infrastructure

    Hosted on AWS in HIPAA-eligible regions. VPC isolation, private subnets, security groups, and least-privilege IAM. Continuous vulnerability scanning.

    • AWS · HIPAA-eligible
    • VPC isolated
    • Continuous scans
  • 05

    Incident response

    Documented incident response plan. 24 / 7 monitoring with PagerDuty escalation. Breach notification procedures align with HIPAA's 60-day rule.

    • Documented IR
    • PagerDuty
    • 60-day rule
  • 06

    Business continuity

    Daily encrypted backups with point-in-time recovery. Multi-AZ failover. Tested disaster recovery plan with documented RPO / RTO.

    • Daily backups
    • Multi-AZ
    • RPO / RTO
  • 07

    Workforce

    Mandatory HIPAA and security training for all employees. Background checks. Confidentiality agreements. Least-privilege access for engineering.

    • HIPAA training
    • Background checks
    • Least privilege
  • 08

    Vendor management

    Subcontractor BAAs in place with all PHI-handling third parties. Annual vendor reviews. Vendor risk register maintained.

    • Subcontractor BAAs
    • Annual reviews
    • Risk register
AI / ML safeguards

AI in healthcare, done right.

AI in healthcare requires a higher bar than AI in consumer software. Here's how Navix handles training data, customer isolation, and model governance.

  1. 01 / 06Safe Harbor · 18 identifiers stripped

    De-identified training data

    All AI/ML training data is de-identified per HIPAA Safe Harbor (45 CFR 164.514(b)(2)) — 18 identifier categories removed before any data enters a training pipeline.

  2. 02 / 06Account-isolated by design

    No cross-account leakage

    Identifiable PHI is never shared across customer accounts. Within a single account, AI features use that account's data only, under the BAA terms.

  3. 03 / 06Anti-memorization guardrails

    Models predict, not recite

    AI/ML models output predictions and suggestions; they're designed not to reproduce training data verbatim.

  4. 04 / 06Continuous evaluation

    Audited for accuracy and bias

    Regular audits of AI/ML systems for accuracy, bias, and privacy compliance.

  5. 05 / 06Granular feature toggles

    Facility-level control

    Facilities retain control over which AI features are enabled in their accounts.

  6. 06 / 06No external monetization

    We don't sell PHI

    We don't sell PHI or de-identified data. Use is for product improvement only, not external monetization.

42 CFR Part 2 · enhanced protection

Substance use disorder records get extra protection.

42 CFR Part 2 places stricter controls than HIPAA on disclosure of substance use disorder records. Written patient consent is generally required for any disclosure; recipients are prohibited from re-disclosure. The penalties for violation are severe.

Navix is engineered around these requirements. Part 2 records carry an enhanced consent flag throughout the system. Every disclosure is logged. Re-disclosure warnings are surfaced where they matter. Our de-identification methods meet the Part 2 standard.

  • Consent flagCarried on every Part 2 record across the system.
  • Disclosure logAppend-only record of every disclosure event.
  • Re-disclosure warningSurfaced inline at the point of share.
  • De-id standardMethods meet Part 2 — not just HIPAA Safe Harbor.
Need our security documentation?

SOC 2 Type II, BAA, pen-test summaries on request.

We provide our SOC 2 Type II report, BAA, security questionnaire responses, and penetration test summaries to qualified prospects under NDA.

Request security docs Read privacy policy
  • SOC 2 Type II · audited
  • BAA included · every paid plan
  • Pen-test summaries · under NDA