Security & Compliance

Designed for regulated workflows from day one.

SOC 2 Type II, HIPAA, FDA 21 CFR Part 11 aligned, IRB approved through Advarra and Univo, TEFCA-ready. Continuous compliance monitoring via Vanta. Every interaction logged, every data flow encrypted, every consent captured.

See our trust center Request SOC 2 report Coming soon

Certifications & attestations

Six certifications procurement teams ask about first.

SOC
2

SOC 2 Type II

Annual independent audit covering security, availability, and confidentiality. Report available under NDA.

Audited annually

HIPAA

PHI handled per 45 CFR §164. Business Associate Agreements available pre-deployment, redline-friendly.

BAA on request

IRB

Generic IRB approval covering Areti's outreach, eligibility, and scheduling workflows. Study-specific approval as needed.

Global studies supported

TEFCA

TEFCA Ready

QHIN-aligned interoperability for trusted exchange across health information networks.

QHIN partner pending

21 CFR
Part 11

FDA 21 CFR Part 11

Electronic records and signatures controls for clinical trial data. Audit trail, access controls, and validation.

Documented & validated

VANTA

Vanta

Continuous compliance monitoring across 100+ controls. Real-time visibility, automated evidence collection.

Always-on monitoring

How we operate

Six security principles, applied to every interaction.

Encryption

Encrypted in transit & at rest

TLS 1.3 in transit. AES-256 at rest. Customer-managed keys available for enterprise deployments.

Access control

Least-privilege, MFA-required

Role-based access control. SSO via SAML/OIDC. Multi-factor authentication required for all admin access.

Audit & logs

Tamper-evident audit trail

Every patient interaction, system change, and admin action logged. Immutable, exportable, retained 7+ years.

Data minimization

Collect only what's needed

Eligibility logic uses minimum necessary PHI. De-identified data flows where full identifiers aren't required.

BCP / DR

99.95% uptime SLA

Multi-region AWS deployment. Automated backups, quarterly restore tests, documented disaster recovery runbook.

Vendor management

SOC 2 sub-processor list

Every sub-processor reviewed annually. Public sub-processor list maintained; 30-day notice on changes.

"The platform is designed with a strong focus on security, compliance, and scalability, meeting the needs of multi-national clinical trial operations. By leveraging AWS-managed services, strong IAM and encryption practices, defined policies, and continuous monitoring, Areti Health ensures that its system complies with service commitments and regulatory requirements while supporting sensitive healthcare operations."
— External auditor, 2026 SOC 2 Type II attestation

Data & privacy

What we collect, where it goes, who sees it.

Privacy & PHI handling

We treat patient data as PHI by default and apply HIPAA controls regardless of whether your study technically requires it. Patient consent captured per protocol; consent records exportable on request.

Patient consent captured per protocol
Right-to-access & right-to-delete supported
Data residency: US-only by default; EU available
De-identification on data exports where appropriate

Read full Privacy Policy →

TEFCA & interoperability

We're QHIN-aligned and exchange clinical data via the Trusted Exchange Framework where it makes sense for the protocol. EMR integrations honor patient consent across HIE participation.

QHIN partnership in progress
HIE participation per patient consent
FHIR R4 & HL7 v2 for EMR data exchange
Standard 21st Century Cures Act access

Read TEFCA notice →

FAQ

What sponsor IT and DPO teams ask.

Where is patient data stored?

Patient data is stored on AWS infrastructure in US-East and US-West regions by default, with EU residency available for sponsors with European studies. Encrypted at rest with AES-256. Customer-managed KMS keys available for enterprise tier.

Do you sign BAAs?

Yes. We have a standard Business Associate Agreement on file, redline-friendly, typically signed within 5 business days. Sub-BAAs with our sub-processors are managed by us.

How long is data retained?

Per protocol requirements. Default retention is 7 years post-study close to align with FDA 21 CFR Part 11 and ICH-GCP record retention. Custom retention available for sponsors with stricter or shorter requirements.

Can sponsors run penetration tests?

Yes, with 30-day advance notice. We coordinate joint pen tests with enterprise sponsors annually. Independent third-party pen tests are also conducted annually as part of our SOC 2 program; results available under NDA.

How does Areti handle a security incident?

We follow a documented incident response runbook with a 24-hour notification SLA for confirmed PHI exposure incidents. Our security team is on-call 24/7. Full post-incident reports issued within 30 days.

What about LLM/AI safety — does patient data train Areti's models?

No. Patient data is never used to train foundation models. Areti uses LLMs in a strictly inference-only mode with no data retention by upstream providers. Prompt logs are stored encrypted in our own infrastructure for audit purposes only, not used for training.

Contact

Get in touch with Security.

Report a vulnerability

Found a security issue in our platform? We'd like to hear about it. Coordinated disclosure preferred; we acknowledge within 1 business day.

Report a vulnerability Coming soon

Procurement & DPO requests

Need a SOC 2 report, security questionnaire response, BAA, or DPA? Request the document package and we'll send it under NDA.

Request documents Coming soon