Security & compliance

Patient data, treated like it matters

PEPTPlus coordinates prescriptions between providers, verified pharmacies, and patients. Everything below describes how the platform is actually built, not a roadmap.

🛡HIPAA-first PHI handling

  • Patient identity is tokenized: clinical and business records reference opaque tokens, never names.
  • Every practice's data is isolated with database-enforced row-level security; PHI tables additionally force isolation for every connection.
  • Patients access their own prescription through a signed, short-lived link plus date-of-birth verification, with brute-force lockout.
  • Notification emails never contain PHI; details appear only after secure verification.

Tamper-evident audit trail

  • Every PHI access, human or API, writes to an append-only audit ledger recording who, what, and when, including failed attempts.
  • Each entry is SHA-256 hash-chained to the one before it, making tampering evident, with one-click integrity verification.
  • The ledger is archived nightly to immutable, write-once storage retained for 7 years.

Verifiable e-prescribing

  • Prescriptions are validated for completeness (prescriber NPI and in-state license, patient demographics, drug elements) before they can be signed.
  • Every signed prescription generates an NCPDP SCRIPT message and a locked PDF whose SHA-256 hash is written into the audit chain; the exact document signed is provable later.
  • State-license routing is enforced server-side: scripts only route to pharmacies licensed for the patient's state.

🔐Encryption & key management

  • All traffic is encrypted in transit (TLS); all data is encrypted at rest.
  • Sensitive identifiers (e.g. investor tax IDs) get an extra layer of field-level AES-256-GCM encryption, with keys held in Azure Key Vault.
  • Documents live in private storage (never public) and are served through short-lived signed URLs; confidential investor documents are watermarked per viewer.

Audited infrastructure

  • Hosted end-to-end on Microsoft Azure (database, application, storage, and secrets) under a HIPAA Business Associate Agreement.
  • Azure's infrastructure maintains SOC 2 Type II and ISO 27001 attestations (Microsoft's audits, which our hosting inherits).
  • Least-privilege database roles: the application cannot touch the token-to-identity map or bypass isolation.

👥Access control

  • Role-based portals: providers, pharmacies, labs, investors, and admins each see only their own surface, enforced at the routing layer and the database.
  • Organization-level changes (billing, team, API keys, payouts) are owner-only.
  • Customer sign-in runs on Microsoft Entra External ID with email verification; team members join by invitation only.

In progress: clearly labeled until complete

Expected July 2026

EPCS certification (DEA 21 CFR Part 1311), enabling controlled-substance e-prescribing. Not required for the non-controlled compounds PEPTPlus routes today.

Underway

SOC 2 Type II readiness: our control inventory, audit trail, and data-flow documentation are maintained against SOC 2 criteria ahead of a formal audit.

Forward-looking statements: items in this panel describe certifications and audits in progress, with expected (not guaranteed) timelines. They become present-tense claims only when complete.

Questions about our security posture, BAAs, or compliance documentation?