HealthNext
Book a demo

Security & trust

Safe and compliant by construction.

Healthcare AI lives or dies on trust. HealthNext is built so the security and compliance story is structural — the boundary, the gate, the audit chain, and the human checkpoint are properties of how the system runs, not features layered on top.

01

In-boundary architecture

The data plane runs inside the customer's own cloud account or a single-tenant dedicated instance. Agents and the served model execute next to your data, not in a shared multi-tenant service. PHI and PHI-derived artifacts stay inside your boundary; only de-identified operational metrics leave it.

02

A PHI gate that blocks, not redacts

Protected health information is stopped at a fail-closed gate before it can reach a place it should not be — including model training. The gate defaults to denial: if classification is uncertain, the data does not pass. Rejected sources are recorded so the boundary can be proven held.

03

BAA-ready, HIPAA-aligned posture

HealthNext is designed to operate under a Business Associate Agreement and aligns to HIPAA Security Rule safeguards — access control, audit controls, integrity, and transmission security. This is posture by design; we describe what the architecture enforces, not certifications we do not hold.

04

Audit-ready by construction

Every agent action — every read, decision, and hand-off — is written to a hash-chained, write-once (WORM) evidence record. The audit trail is a byproduct of running the system, not a report assembled after the fact. Tampering breaks the chain.

05

A human holds every adverse decision

Agents assemble evidence, draft, and route. People decide. Any decision that adversely affects a member or claim routes to a human checkpoint before it takes effect. The control is structural, not a setting that can be quietly switched off.

06

Provable model lineage

The model serving each customer is forked from a shared in-boundary base and trained only on that customer's non-PHI environment. Model lineage is signed into the evidence chain, so what produced a given output can be traced and verified.

How we talk about compliance

Diligence-safe by default.

We hold ourselves to claims a buyer's security team can verify. That discipline is part of the product.

  • We state posture we can back. We do not claim SOC 2, HITRUST, or other attestations we have not earned.
  • Compliance language describes how the architecture is built — "by construction," "by design," "fail-closed" — not external certifications.
  • Demo environments use synthetic data only. No real PHI is present in any demo or marketing surface.

Bring your security team. We built this for their questions.

Walk through the boundary, the PHI gate, the evidence chain, and the deployment model with the people who have to sign off.

Book a demo How it deploys