RecordIQ is aligned with and supports the industry standards that govern our customers' work. We are desktop software that runs entirely on our customers' machines — we do not access, transmit, or store customer documents, patient data, or protected health information. Knowing which frameworks apply to us — and which do not — is part of how we earn customers' trust.
The tables below classify each standard into one of four statuses:
Implemented
Built into the software. Shipping today.
Aligned With
Follows the principles but not independently certified.
Supports Customer
Helps customers meet their own obligations.
Not Applicable
Does not apply to our architecture or role.
Honest policy: we will never claim a certification we do not hold. Where we are "aligned with" a standard, we say so. Where a standard does not apply to a desktop software vendor with no data access, we explain why rather than hide it.
Legal & Court Systems
Applicable to law firms using RecordIQ for medical records review, chronology preparation, and document production in litigation.
| Standard | Status | How it applies to RecordIQ |
|---|---|---|
| PDF/A | Aligned With | Report outputs are generated as standard PDFs suitable for long-term archiving. Formal PDF/A-1b conformance testing is on the roadmap. |
| Federal Rules of Civil Procedure (FRCP) | Not Applicable | FRCP governs procedure in U.S. courts, not software vendors. Our customers are responsible for FRCP compliance in their own litigation practice. RecordIQ's outputs are designed to be usable in FRCP-governed proceedings. |
| CM/ECF (Electronic Court Filing) | Not Applicable | CM/ECF is a court-side filing system. RecordIQ does not integrate directly with CM/ECF; our outputs are standard PDFs that customers file through their own court systems. |
| WCAG 2.1 AA (Website Accessibility) | Aligned With | Our public marketing website targets WCAG 2.1 AA principles (keyboard navigation, semantic HTML, color contrast). Ongoing verification; please email support@recordiq.app to report barriers. |
| ISO/IEC 27001 (Information Security) | Aligned With | Not independently certified. Our controls — offline processing, AES-256 encryption, HMAC-chained audit logging, role-based access — follow ISO 27001 principles. |
| NIST SP 800-53 (Federal Information Systems) | Not Applicable | NIST SP 800-53 applies to U.S. federal information systems and contractors. RecordIQ does not currently sell to federal agencies. We would require a Moderate baseline assessment before federal procurement. |
Medical & Healthcare
Applicable to law firms handling medical records, legal nurse consultants, and (future) medical providers using RecordIQ for document processing.
| Standard | Status | How it applies to RecordIQ |
|---|---|---|
| HIPAA Privacy Rule | Supports Customer | RecordIQ is not a HIPAA Covered Entity and, in normal operation, is not a Business Associate — no PHI is ever transmitted to RecordIQ. The software is designed to help customers meet their own Privacy Rule obligations. A no-PHI-access BAA attestation is available on request. |
| HIPAA Security Rule | Supports Customer | All customer data stays on the local workstation. AES-256 encryption, offline processing, hardware-derived device identifiers, and immutable HMAC-chained audit logging support customers' Security Rule compliance. |
| HIPAA Safe Harbor De-identification (§164.514) | Implemented | PHI redaction covers twenty-three (23) identifier types (twenty-one regex-based, two deterministic pattern-based) designed to support Safe Harbor de-identification. |
| ICD-10-CM | Implemented | ICD extraction outputs codes in ICD-10-CM format with decimal notation (e.g., M54.5). Every extracted code is traceable to its source page and line. |
| CPT (AMA Current Procedural Terminology) | Implemented | CPT code extraction follows the AMA 5-digit numeric format. Recognized in radiology, surgical, and E&M contexts. |
| HL7 v2 / FHIR | Not Applicable | HL7 and FHIR are interoperability standards for live clinical data exchange between EHRs and hospital systems. RecordIQ processes documents, not live feeds. FHIR-formatted export is on the long-term roadmap but not currently supported. |
| SNOMED CT | Not Applicable | SNOMED CT terminology mapping is not currently supported. Under evaluation for a future release targeted at clinical customers. |
| ONC Health IT Certification | Not Applicable | ONC certification applies to electronic health record (EHR) systems. RecordIQ is a document-processing tool, not an EHR, and does not participate in federal EHR incentive programs. |
| FDA Medical Device Regulation | Not Applicable | RecordIQ is not a medical device. It is not used for patient diagnosis, treatment, or clinical decision support, and it does not meet the FDA's definition of Software as a Medical Device (SaMD). |
| FISMA (Federal Information Security) | Not Applicable | FISMA applies to federal agencies and their contractors. RecordIQ does not currently sell to federal agencies. |
Insurance & Claims
Applicable to insurance carriers, claims departments, SIU teams, and workers' compensation adjusters using RecordIQ for claims-related document review.
| Standard | Status | How it applies to RecordIQ |
|---|---|---|
| NAIC Model Privacy & Data Security | Supports Customer | Offline processing, AES-256 encryption at rest, and audit logging support insurance carriers' obligations under state-adopted NAIC model laws (e.g., Insurance Data Security Model Law). RecordIQ itself is not an insurer and is not regulated under NAIC frameworks. |
| PCI DSS | Not Applicable | RecordIQ does not handle payment card data. All payment processing is performed by Stripe, which is PCI DSS Level 1 certified. No cardholder data touches RecordIQ infrastructure. |
| ISO 9001 (Quality Management) | Aligned With | Not independently certified. Version control, automated CVE scanning against a pinned baseline, test harness, and config-integrity baselines follow ISO 9001 principles. |
| Solvency II | Not Applicable | Solvency II is a European Union insurance capital regulation. RecordIQ has no EU nexus, no EU customers, and does not market to EU residents. |
| IFRS 17 | Not Applicable | IFRS 17 is an international financial reporting standard for insurance contracts. It governs how insurers report financials, not how document-processing vendors operate. |
Privacy & Data Protection
Applicable to RecordIQ's handling of prospect and customer business data (name, email, firm, license key, device identifier). Note: no patient data ever reaches RecordIQ.
| Standard | Status | How it applies to RecordIQ |
|---|---|---|
| CCPA / CPRA (California) | Implemented | Privacy notice, access and deletion request process, and do-not-sell/share posture are described in our Privacy Policy. |
| PIPEDA (Canada federal) | Implemented | Consent at lead signup and EULA acceptance, access/correction rights, and Canadian data residency (Azure Canada East) for Canadian customer data. |
| Quebec Law 25 (An Act respecting the protection of personal information) | Implemented | Designated Privacy Officer per Article 3.1. French-language Privacy Policy (Politique de Confidentialité) published. Privacy Impact Assessment completed. |
| Ontario PHIPA, Alberta HIA, BC PIPA | Supports Customer | Provincial health privacy laws apply primarily to our customers. The software's offline architecture supports their compliance. 7-year retention for PHIPA-relevant records. |
| GDPR (European Union) | Not Applicable | RecordIQ has no EU nexus. We do not market to, sell to, or collect data from EU residents. GDPR does not apply to our operations. |
Security & Cryptography
Cross-cutting security standards governing how RecordIQ encrypts, audits, and protects data on the customer's workstation. These apply across all verticals (court, medical, insurance) regardless of customer type.
| Standard | Status | How it applies to RecordIQ |
|---|---|---|
| AES-256-GCM (FIPS PUB 197) | Implemented | All data at rest and during local processing is encrypted with AES-256 in Galois/Counter Mode. The algorithm is specified in FIPS PUB 197 (Advanced Encryption Standard) and is the U.S. federal standard for symmetric-key encryption. |
| NIST SP 800-171 (CUI Protection) | Aligned With | Not independently certified. RecordIQ's controls — access control, audit logging, configuration management, identification & authentication, system & information integrity — follow the 14 NIST SP 800-171 control families used to protect Controlled Unclassified Information. |
| SOC 2 (Trust Services Criteria) | Aligned With | Not currently SOC 2 audited. Security practices follow the SOC 2 Trust Services Criteria principles for security, availability, processing integrity, and confidentiality. Formal Type II audit on the roadmap as customer base scales. |
| HMAC-SHA256 (RFC 2104) | Implemented | Audit log entries are chained with HMAC-SHA256 to produce tamper-evident records. Each entry's hash incorporates the previous entry's hash, creating an immutable chain that exposes any retroactive tampering. |
| Section 508 (Federal Accessibility) | Aligned With | Public marketing site targets Section 508 / WCAG 2.1 AA principles (keyboard navigation, semantic HTML, color contrast). Desktop application accessibility verification is on the roadmap. |
Questions about a specific standard? We're happy to answer honestly, including when the answer is "we don't meet that yet" or "that doesn't apply to us." Email support@recordiq.app.