Security at Gravity Rail
Protecting patient data is foundational to everything we build. Our platform is designed from the ground up for healthcare compliance and enterprise-grade security.
View Trust CenterTechnical safeguards implemented, BAAs executed with all customers
Controls implemented and continuously monitored, independent audit underway
Business Associate Agreements executed with all healthcare customers and vendors
Security Philosophy
Security is not an add-on feature — it is a foundational requirement. Every architectural decision is evaluated through the lens of patient data protection.
- Defense in Depth — overlapping layers of security at infrastructure, network, application, and data tiers
- Least Privilege — every component operates with the minimum access required for its function
- Data Minimization — we collect and retain only the data necessary for platform functionality
- Compliance by Design — HIPAA and SOC 2 requirements are integrated into our engineering process, not bolted on after the fact
Compliance & Certifications
Gravity Rail is HIPAA compliant with technical safeguards fully implemented. SOC 2 Type II controls are in place and continuously monitored via Vanta, with an independent audit underway.
- HIPAA compliant — technical, administrative, and physical safeguards implemented per 45 CFR 164.312
- Business Associate Agreements executed with all customers and vendors handling PHI
- Designated Privacy Officer and completed internal HIPAA risk assessment
- SOC 2 Type II controls implemented and continuously monitored, independent audit underway
- Continuous compliance monitoring via Vanta with real-time control status
Data Protection & Encryption
All patient data is encrypted at rest and in transit. PHI is classified, tracked, and protected with strict handling rules throughout the platform.
- Encryption at rest: AES-256 via AWS KMS with customer-managed keys in production
- Encryption in transit: TLS 1.2+ on all endpoints with HSTS enforced
- PHI is never logged and never exposed in error messages — only identifiers are used
- Multi-tenant isolation: each workspace has its own database schema, preventing cross-tenant data access
- Credential encryption using JWE with authenticated encryption (AES-128-GCM)
Infrastructure Security
Cloud-native architecture on AWS with managed services, private networking, and continuous threat detection.
- AWS Fargate containers with hardware-level compute isolation
- VPC with private subnets — databases and caches have no direct internet access
- Multi-AZ deployment with automated failover and cross-region disaster recovery
- AWS GuardDuty for continuous threat detection and anomaly monitoring
- CloudTrail audit trail with log file integrity validation (SHA-256 + RSA signatures)
Access Controls
Multi-tier role-based access control with encrypted session management and comprehensive administrative audit logging.
- Strong authentication methods: SSO/OIDC, email magic links with OTP, password
- 2FA/MFA with TOTP Authenticator apps, Passkeys (biometric & hardware keys), recovery codes
- Multi-tier RBAC: organization-level, workspace-level, and object-level permissions
- Encrypted session tokens using JWE (JSON Web Encryption) with authenticated encryption
- Time-limited administrative impersonation with full audit trail
- API keys with configurable expiration, scoped permissions, and hashed storage
AI Data Governance
Customer data is never used to train AI models. All AI providers are evaluated for HIPAA compliance and BAA availability.
- Customer data is not used to train AI models — your data remains yours
- AI providers evaluated for BAA availability and HIPAA-compliant data handling
- HIPAA-compliant LLM observability with signed Business Associate Agreements
- Channel-aware data routing — sensitive channels can be excluded from observability logging
- Transparent AI provider relationships with documented security requirements
Secure Development Lifecycle
Every code change goes through automated security scanning and peer review with enforced separation of duties.
- Mandatory code reviews on every pull request
- Static analysis security tools run on every pull request
- Dynamic analysis security scans run daily against the entire code base
- Automated supply-chain dependency protection with container image scanning on push
- Branch protection with mandatory status checks and separation of duties
Monitoring & Incident Response
Always-on security audit logging with 6-year retention, real-time alerting, and a documented incident response process including HIPAA breach notification.
- Highly capable CSIRT manages security vigilance
- 6-year audit log retention in tamper-evident archival storage for regulatory compliance
- Real-time alerting for authentication failures, security violations, and access anomalies
- Documented incident response process: detection, assessment, containment, remediation, notification
- HIPAA breach notification within 60 days per the Breach Notification Rule (45 CFR 164.402–414)
Frequently Asked Questions
Common questions from procurement and security teams.
Ready to review our security posture?
Access our SOC 2 report, compliance documentation, and subprocessor list through our trust center.
Vulnerability Disclosure
If you believe you have found a security vulnerability in Gravity Rail, we encourage responsible disclosure. Please report it to our security team — we take every report seriously and will respond promptly.
security@gravityrail.comLast reviewed: 2026-02-12