Trust & Security
Enterprise-Grade Security for Clinical Data
Healthcare data is the most sensitive data in the world. Our security program is built from the ground up for the compliance requirements, threat model, and operational realities of health systems.
Compliance
Certifications & Standards
Health Insurance Portability and Accountability Act — full compliance across all PHI handling, storage, and transmission.
Annual third-party audit of security, availability, processing integrity, confidentiality, and privacy controls.
HITRUST Common Security Framework certification covering 19 domains of healthcare cybersecurity.
International information security management standard — certified through Bureau Veritas.
Federal Risk and Authorization Management Program authorization for federal agency deployments.
General Data Protection Regulation compliance for European patient data and EU-based health system customers.
Infrastructure
How We Protect Your Data
End-to-End Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Encryption keys are managed per-tenant using AWS KMS with automatic rotation and no Curely AI personnel access.
Tenant Isolation
Each health system customer runs in a fully isolated namespace on our Kubernetes infrastructure. Compute, storage, and network resources are never shared across tenants.
Audit Logging
Every access event, query, model inference, and administrative action is captured in immutable audit logs. Logs are retained for 7 years and exportable to your SIEM in real time.
Infrastructure Security
We run on AWS GovCloud (US) for regulated workloads. Network access is controlled via private VPC peering, WAF, DDoS protection, and mandatory MFA with phishing-resistant hardware keys for all engineers.
Vulnerability Management
Continuous SAST/DAST scanning, weekly dependency audits, and a formal penetration testing program with a top-tier healthcare security firm. Critical CVEs are patched within 24 hours.
Business Associate Agreement
We sign a HIPAA-compliant BAA with every health system customer before any PHI is transmitted. Our BAA template is available for legal review prior to contract execution.
Practices
A Comprehensive Security Program
Security isn't a feature we shipped once — it's an ongoing operational discipline. Every engineer, every deployment, and every vendor relationship is held to the same standard.
Responsible Disclosure
We welcome responsible security research on our platform. If you discover a vulnerability, please report it to our security team before any public disclosure. We respond within 24 hours and offer recognition for valid findings.
We do not pursue legal action against researchers who follow responsible disclosure practices, even if they discover vulnerabilities through active testing.
Security Contact
security@curely.ai
PGP Fingerprint
A3F2 8D19 4C7E 2B56 9A01 F483 E92C 7D34 BA56 12EF
Response SLA
Critical: < 4 hours · High: < 24 hours · Medium: < 72 hours
Ready to Start Your Security Review?
Our security team is available to walk your CISO, legal, and compliance teams through our full security program — including our SOC 2 report, penetration test results, and BAA terms.