Gravity Rail
Security & Compliance

Built for healthcare. Secured for healthcare.

Gravity Rail handles protected health information with the same rigor your clinical team brings to patient care. HIPAA compliant. BAA available. Every interaction auditable.

HIPAA
Compliant
SOC 2 Type II
In Progress
BAA
Available

Security features.

HIPAA Compliant

Active

Gravity Rail is fully HIPAA compliant. All PHI is handled according to HIPAA Privacy and Security Rules. Business Associate Agreements (BAAs) are available for all customers.

SOC 2 Type II

In Progress

SOC 2 Type II certification is currently in progress. We operate with SOC 2-aligned controls across security, availability, processing integrity, confidentiality, and privacy.

Encryption at Rest & In Transit

Active

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Conversation logs, patient data, and configuration files are stored with field-level encryption.

Audit Logs

Active

Complete audit trail for all patient interactions, coordinator actions, escalations, and system events. Logs are immutable, tamper-evident, and retained per customer configuration.

Role-Based Access Control

Active

Granular role-based permissions for coordinators, clinical supervisors, administrators, and integration partners. Principle of least privilege enforced across all access paths.

Business Associate Agreement

Available

BAAs are executed with all healthcare customers prior to any PHI processing. Gravity Rail operates as a Business Associate under HIPAA and accepts full BAA obligations.

Data handling principles.

Data minimization

We collect only the data required to deliver Care Presence. No ancillary data collection, no marketing use of patient data.

No data resale

Patient data is never sold, shared, or licensed to third parties. Ever. Under any circumstances.

Customer data ownership

Your data is yours. Gravity Rail processes it on your behalf. You retain full ownership and control of all PHI and conversation records.

Data residency

Data is stored in US-based infrastructure. International deployments available with configurable data residency requirements.

Retention and deletion

Data retention policies are configurable per customer. Deletion requests are processed within 30 days. PHI can be purged on contract termination.

Security FAQ.

Security questions? Talk to us directly.

Our team can walk through our security posture, compliance program, and data handling practices in detail.

Contact our teamRequest a BAA