Security

We build Ansur for healthcare environments, where the confidentiality and integrity of patient data is foundational. The commitments below describe how we protect customer data and the Protected Health Information (PHI) we process on behalf of our customers. Additional security documentation is available on request.

HIPAA and Business Associate Agreement

Ansur operates as a Business Associate under HIPAA. We execute a Business Associate Agreement (BAA) with each customer before any PHI is processed. The BAA governs how we may use and disclose PHI, our safeguard obligations, and our breach-notification responsibilities.

Encryption in transit and at rest

We encrypt all data in transit using TLS 1.2 or higher. Data is encrypted at rest, and PHI receives an additional layer of application-level AES-256 field encryption before it is written to the database, using dedicated encryption keys managed in AWS Key Management Service (KMS).

Access control and authentication

We grant access to customer data on a least-privilege, role-based basis. All access requires authentication, and multi-factor authentication (MFA) is enforced for administrative and production access. Production access uses short-lived, role-based credentials rather than persistent keys.

Audit logging

We log access to patient data and administrative actions, including create, read, update, and delete operations that touch PHI. Audit records are retained for seven years.

Data residency

Customer data is hosted exclusively in United States data-center regions, with disaster-recovery replication within the United States.

Breach notification

In the event of a breach of unsecured PHI, we notify affected customers in accordance with our HIPAA obligations, without unreasonable delay and in no case later than 60 days from discovery.

Subprocessors

Infrastructure subprocessors in the PHI data path are HIPAA-eligible and operate under a Business Associate Agreement or Addendum. We do not store payment-card data — billing is handled by a third-party payment processor that provides us only an opaque customer identifier, never raw card numbers. A current list of subprocessors is available on request.

Request documentation

Qualified teams can request our security documentation, sub-processor information, and BAA by contacting security@ansur.ai.