How does the platform support HIPAA?

RecordIQ is designed to support HIPAA compliance. We offer safeguards such as access controls, audit logging, and encryption, and a Business Associate Agreement (BAA) is available. However, we do not guarantee HIPAA compliance, and compliance ultimately depends on how the service is configured and used by each customer.

Does the platform meet SOC 2 standards?

Designed with SOC 2 principles in mind. We are currently preparing for a SOC 2 Type I audit as part of our ongoing security and compliance program.

Does the platform support CCPA/CPRA?

Supports CCPA/CPRA principles and requirements. Data processing addendums (DPA) are available. Customers retain control of data to ensure compliance.

How does the platform support PIPEDA?

Supports PIPEDA requirements for Canadian data privacy and provides tools to help customers meet regulatory obligations.

What encryption and security measures are in place?

AES-256-GCM (FIPS 197 standard) for data at rest. PBKDF2-SHA256 key derivation with 600,000 iterations. HMAC-SHA256 audit chain and DPAPI key wrapping for secure key management.

Does the platform require internet access?

All processing occurs locally by default. Network access occurs only for verification or user-initiated diagnostic log submissions, which are automatically PHI-scrubbed before transmission.

How is data retention handled?

Supports audit log retention up to 6 years. Logs 19 event types to provide accountability and traceability. Retention policies are configurable to align with customer compliance requirements.

Trust & Compliance Center

Q: What accessibility standards are supported?

Interface designed to support WCAG 2.1 AA accessibility. Partial support verified; consult the VPAT for detailed compliance coverage.

Shared Responsibility

Our Commitment & Your Role

We operate on a shared responsibility model: our tools are designed to support compliance efforts, but customers remain responsible for configuration, usage, and adherence to applicable regulations.

What we provide: Technical safeguards (encryption, access controls, audit logging), administrative safeguards (BAA availability, security documentation, compliance mapping), and ongoing security improvements.

What you are responsible for: Configuring the software appropriately, managing access within your organization, maintaining your encryption keys, and ensuring your use complies with applicable laws and regulations.

Frameworks & Standards

Regulatory Alignment

Our software is designed with guidance from established standards, as appropriate to the system and use case.

H

HIPAA

RecordIQ is designed to support HIPAA compliance.

Access controls, audit logging, and encryption safeguards
Business Associate Agreement (BAA) available
PHI redaction with 23 HIPAA-defined identifiers
Redaction aligned with Safe Harbor de-identification standard

We do not guarantee HIPAA compliance. Compliance depends on customer configuration and use.

S

SOC 2

Designed with SOC 2 principles in mind.

Technical safeguards aligned with Trust Services Criteria
Currently preparing for a SOC 2 Type I audit
55 criteria documented across CC1–CC9, A1, PI1, C1
27 governance policy documents maintained

C

CCPA/CPRA

Supports California Consumer Privacy Act / California Privacy Rights Act requirements.

Data Processing Addendum (DPA) available
All processing occurs locally — no cross-border data transfers
Customers retain full control of their data
No sale or sharing of personal information

P

PIPEDA

Supports PIPEDA requirements for Canadian data privacy.

10 Fair Information Principles referenced
Provincial coverage: Ontario PHIPA, Alberta HIA, BC PIPA, Quebec Law 25
Canadian data residency supported (Azure Canada East)
Tools and policies to help meet regulatory obligations

W

WCAG 2.1 AA / Section 508

Interface designed to support WCAG 2.1 AA accessibility.

High Contrast theme (WCAG AAA 7:1+ contrast ratio)
Font scaling: 75% to 150% (6 presets)
Keyboard tab order across all 32 interactive tabs
85+ accessible widget names for screen readers
VPAT 2.5 (Section 508) published

Partial support verified. Consult our VPAT for detailed coverage.

N

NIST & FRCP

Designed with guidance from NIST and federal rules.

NIST SP 800-171: 110 controls mapped
FIPS 197: AES-256-GCM encryption standard
NIST SP 800-88: Secure data deletion guidelines
FRCP Rule 26(b)(5)(A): Aligned privilege log format
FRCP-aligned demand letter and production set formats

Technical Safeguards

How We Protect Your Data

Encryption

AES-256-GCM (FIPS 197 standard) for data at rest
PBKDF2-SHA256 key derivation with 600,000 iterations
HMAC-SHA256 audit chain for integrity verification
DPAPI key wrapping for secure key management
Ed25519 asymmetric license signing

Offline-First Architecture

All document processing occurs locally on your device
Network access only for license verification () or user-initiated diagnostic uploads
Diagnostic uploads are automatically PHI-scrubbed before transmission

Access Controls

PIN-based authentication (PBKDF2-hashed, 5-attempt lockout)
Configurable auto-lock timeout (5–90 minutes)
Hardware-bound licensing (CPU, motherboard, disk, BIOS serial)
Session management with inactivity detection

Data Minimization

Designed to minimize residual data on disk
Secure multi-pass file deletion (NIST SP 800-88 guidelines)
Temporary files cleaned after each session
Startup sweep catches leftovers from crashes

Audit Logging

HMAC-chained tamper-evident audit trail
19 event types tracked
Supports retention up to 6 years (HIPAA §164.530(j))
PHI auto-redacted from all log entries
Tamper detection via chain integrity verification

Key Management

3 encrypted key backups maintained automatically
Automated key rotation (configurable interval)
Windows DPAPI binding (no plaintext fallback)
Config integrity monitoring (SHA-256 drift detection)

Data Handling & Privacy

Your Data, Your Control

Data remains on your device unless you choose to submit diagnostic logs or license verification information.
Our platform provides configurable tools and safeguards to support compliance, but users maintain control over their data.
No automatic data transmission occurs without user initiation.
Original source files are never modified by any processing operation.
All output reports are encrypted by default with your local encryption key.

Disclaimers

Important Notices

While the platform supports multiple regulatory frameworks, we do not guarantee compliance. Compliance depends on customer configuration and use.
All cryptographic, retention, and security claims are based on verified implementation and configuration as of the current version.
We are currently preparing for a SOC 2 Type I audit. SOC 2 certification has not yet been obtained.
WCAG 2.1 AA support is partial. Consult our VPAT for detailed conformance coverage.
Customers are responsible for configuring and using the service in accordance with applicable laws.

Official Statement

Compliance & Security Statement

All claims regarding privacy, security, and regulatory frameworks on this site have been thoroughly reviewed and verified. Our platform is designed to support HIPAA, SOC 2, CCPA/CPRA, PIPEDA, WCAG 2.1 AA, and NIST guidance, with technical safeguards including encryption, audit logging, and offline-first architecture. While we provide tools and features to facilitate compliance, customers remain responsible for proper configuration and use. This statement reflects our current verified practices and may be updated as standards and frameworks evolve.

Last reviewed: March 28, 2026 • Version 5.11.0

Supporting Documents

Compliance Resources

Review our detailed documentation for specific framework coverage and legal agreements.

Security Whitepaper Government Compliance HIPAA BAA Data Processing Addendum Privacy Policy Privacy Impact Assessment EULA Breach Notification Policy

Security. Privacy. Compliance.