Security & compliance
Patient data, treated like it matters
PEPTPlus coordinates prescriptions between providers, verified pharmacies, and patients. Everything below describes how the platform is actually built, not a roadmap.
🛡HIPAA-first PHI handling
- Patient identity is tokenized: clinical and business records reference opaque tokens, never names.
- Every practice's data is isolated with database-enforced row-level security; PHI tables additionally force isolation for every connection.
- Patients access their own prescription through a signed, short-lived link plus date-of-birth verification, with brute-force lockout.
- Notification emails never contain PHI; details appear only after secure verification.
⛓Tamper-evident audit trail
- Every PHI access, human or API, writes to an append-only audit ledger recording who, what, and when, including failed attempts.
- Each entry is SHA-256 hash-chained to the one before it, making tampering evident, with one-click integrity verification.
- The ledger is archived nightly to immutable, write-once storage retained for 7 years.
℞Verifiable e-prescribing
- Prescriptions are validated for completeness (prescriber NPI and in-state license, patient demographics, drug elements) before they can be signed.
- Every signed prescription generates an NCPDP SCRIPT message and a locked PDF whose SHA-256 hash is written into the audit chain; the exact document signed is provable later.
- State-license routing is enforced server-side: scripts only route to pharmacies licensed for the patient's state.
🔐Encryption & key management
- All traffic is encrypted in transit (TLS); all data is encrypted at rest.
- Sensitive identifiers (e.g. investor tax IDs) get an extra layer of field-level AES-256-GCM encryption, with keys held in Azure Key Vault.
- Documents live in private storage (never public) and are served through short-lived signed URLs; confidential investor documents are watermarked per viewer.
☁Audited infrastructure
- Hosted end-to-end on Microsoft Azure (database, application, storage, and secrets) under a HIPAA Business Associate Agreement.
- Azure's infrastructure maintains SOC 2 Type II and ISO 27001 attestations (Microsoft's audits, which our hosting inherits).
- Least-privilege database roles: the application cannot touch the token-to-identity map or bypass isolation.
👥Access control
- Role-based portals: providers, pharmacies, labs, investors, and admins each see only their own surface, enforced at the routing layer and the database.
- Organization-level changes (billing, team, API keys, payouts) are owner-only.
- Customer sign-in runs on Microsoft Entra External ID with email verification; team members join by invitation only.
In progress: clearly labeled until complete
Expected July 2026
EPCS certification (DEA 21 CFR Part 1311), enabling controlled-substance e-prescribing. Not required for the non-controlled compounds PEPTPlus routes today.
Underway
SOC 2 Type II readiness: our control inventory, audit trail, and data-flow documentation are maintained against SOC 2 criteria ahead of a formal audit.
Forward-looking statements: items in this panel describe certifications and audits in progress, with expected (not guaranteed) timelines. They become present-tense claims only when complete.
Questions about our security posture, BAAs, or compliance documentation?