Trust & Security
Enterprise-grade security for healthcare software that handles real patient data.
When you build healthcare software with Zee Palm, you get a team that treats compliance and security as foundational — not an afterthought. Here is how we protect patient data and maintain the trust healthcare organizations require.
BAA-ready from day one.
We operate as a Business Associate under HIPAA. This means we can sign Business Associate Agreements (BAAs) with covered entities and other business associates, taking on the legal obligations required to handle Protected Health Information (PHI).
What this means for you
- BAA execution: We sign BAAs as standard practice for any engagement involving PHI. No additional negotiation required.
- Workforce training: All team members complete HIPAA training annually. Role-specific training for engineers handling PHI.
- Administrative safeguards: Documented policies for access management, incident response, and workforce security.
- Technical safeguards: Encryption, access controls, audit logging, and integrity controls implemented across all systems.
Clear policies for how we handle healthcare data.
Patient data is not just another data type. We treat PHI with the care and rigor it requires — from how we access it during development to how we ensure it is properly disposed of when no longer needed.
Data minimization
We collect and process only the data necessary for the specific healthcare function. No unnecessary data retention or secondary use without explicit consent.
PHI boundaries
Clear separation between PHI and non-PHI systems. PHI never leaves compliant environments. Development and testing use synthetic or de-identified data.
Retention and disposal
Data retention policies aligned with HIPAA and client requirements. Secure deletion procedures with verification. No orphaned data in backups or logs.
Subprocessor management
All subprocessors vetted for HIPAA compliance. BAAs in place with any vendor handling PHI. Regular review of subprocessor security posture.
Defense in depth across every layer.
Security is not a feature we add at the end. It is built into how we design systems, write code, and operate infrastructure. These practices apply to every healthcare project we deliver.
Access controls
Role-based access with least-privilege principles. Multi-factor authentication required for all production systems. Access reviews conducted quarterly.
Encryption
AES-256 encryption at rest. TLS 1.2+ for all data in transit. Key management through cloud-native services with automatic rotation.
Audit logging
Comprehensive audit trails for PHI access and system changes. Logs retained per HIPAA requirements and available for compliance reviews.
Secure development
Code reviews required for all changes. Dependency scanning and vulnerability assessments. No secrets in code — environment-based configuration only.
Infrastructure security
HIPAA-eligible cloud services (AWS, GCP, Azure). Network segmentation and firewall rules. Regular patching and security updates.
Incident response
Documented incident response procedures. Breach notification protocols aligned with HIPAA requirements. Post-incident reviews and remediation tracking.
Current status and roadmap.
We believe in transparency about where we are in our compliance journey. Here is the honest status of our certifications and what we are working toward.
HIPAA compliance
We operate under HIPAA-compliant policies and procedures. Business Associate Agreements available for all client engagements involving PHI.
SOC 2 Type II
Currently implementing controls for SOC 2 Type II certification. Expected completion: 2026. Controls already operational for security, availability, and confidentiality.
HITRUST CSF
HITRUST certification planned following SOC 2 completion. Many HITRUST controls already addressed through our HIPAA and SOC 2 programs.
A note on compliance
HIPAA does not have a formal certification — compliance is demonstrated through policies, procedures, and technical controls. When we say we are "HIPAA compliant," we mean we have implemented the administrative, physical, and technical safeguards required by the HIPAA Security Rule and can execute BAAs with covered entities. Third-party certifications like SOC 2 and HITRUST provide additional independent validation of our security controls.
Questions about our security posture?
We are happy to discuss our security practices in detail, provide documentation for your compliance team, or walk through how we would handle PHI for your specific use case.