Security
We build Ansur for healthcare environments, where the confidentiality and integrity of patient data is foundational. The commitments below describe how we protect customer data and the Protected Health Information (PHI) we process on behalf of our customers. Additional security documentation is available on request.
HIPAA and Business Associate Agreement
Ansur operates as a Business Associate under HIPAA. We execute a Business Associate Agreement (BAA) with each customer before any PHI is processed. The BAA governs how we may use and disclose PHI, our safeguard obligations, and our breach-notification responsibilities.
Encryption in transit and at rest
We encrypt all data in transit using TLS 1.2 or higher. Data is encrypted at rest, and PHI receives an additional layer of application-level AES-256 field encryption before it is written to the database, using dedicated encryption keys managed in AWS Key Management Service (KMS).
Access control and authentication
We grant access to customer data on a least-privilege, role-based basis. All access requires authentication, and multi-factor authentication (MFA) is enforced for administrative and production access. Production access uses short-lived, role-based credentials rather than persistent keys.
Audit logging
We log access to patient data and administrative actions, including create, read, update, and delete operations that touch PHI. Audit records are retained for seven years.
Data residency
Customer data is hosted exclusively in United States data-center regions, with disaster-recovery replication within the United States.
Breach notification
In the event of a breach of unsecured PHI, we notify affected customers in accordance with our HIPAA obligations, without unreasonable delay and in no case later than 60 days from discovery.
Subprocessors
Infrastructure subprocessors in the PHI data path are HIPAA-eligible and operate under a Business Associate Agreement or Addendum. We do not store payment-card data — billing is handled by a third-party payment processor that provides us only an opaque customer identifier, never raw card numbers. A current list of subprocessors is available on request.
Request documentation
Qualified teams can request our security documentation, sub-processor information, and BAA by contacting security@ansur.ai.