Denialbase handles Protected Health Information (PHI) for covered entities under HIPAA. This Trust Center documents how we protect it — what’s live today, what’s in progress, and what’s on the roadmap.
Security at a glance
Encryption
AES-256 at rest with customer-managed encryption keys (CMEK) on all primary data stores. TLS 1.2+ in transit. Column-level PHI encryption on top.
Authentication
Passwords + TOTP or passkeys. Google OAuth 2.1. Account lockout, device-based rate limiting, httpOnly session cookies.
Network
Cloud Armor WAF with OWASP Core Rule Set v3.3, private VPC, Workload Identity Federation for CI/CD (no long-lived keys).
Audit Logging
Structured HIPAA audit log pipeline. Every PHI access, mutation, and authentication event recorded with 6-year retention.
Compliance posture
Denialbase is HIPAA-compliant and pursuing SOC 2 Type I and ISO 27001 certifications. See SOC 2 / ISO 27001 readiness for the current readiness snapshot and live remediation tracker.
HIPAA
Administrative, physical, and technical safeguards. PHI minimization. Audit trails. Access controls.
SOC 2 / ISO 27001
Current readiness, gaps, and target certification dates. Updated quarterly.
Statement of Applicability
ISO 27001:2022 Annex A control mapping — 93 applicable, 4 N/A, per-control status + evidence.
BAAs
How to request a Business Associate Agreement. Signed BAAs with our subprocessors.
Subprocessors
Full list of infrastructure and service providers with data residency and BAA status.
Operations
Incident Response
How we detect, respond to, and communicate about security incidents. On-call rotation + severity matrix.
Disaster Recovery
Backup strategy, RPO/RTO targets, and tested restore procedures.
Business Continuity
How Denialbase continues serving customers through technical, operational, and vendor disruptions.
Vulnerability Management
SAST, dependency scanning, SLAs, and penetration testing cadence.
Change Management
Code review, CI/CD security gates, deployment approvals.
Governance
Internal audit
Independent review of the ISMS — audit program, methodology, cadence.
Management review
Quarterly ISMS effectiveness review by executive leadership.
HR security
Workforce security — screening, onboarding, training, offboarding.
Security awareness
Annual training program, phishing simulation, role-specific modules.
Policies
Information Security Policy
The top-level policy governing all security controls at Denialbase.
Acceptable Use Policy
Rules for Denialbase personnel using company systems.
Access Control Policy
Who gets access to what, for how long, and how we verify it stays correct.
Cryptography Policy
Approved algorithms, key management, rotation cadence.
Data Classification
Four classifications (Restricted PHI, Confidential, Internal, Public) with handling rules.
Change Management Policy
Formal policy governing all changes to Denialbase systems.
Vendor Management
Vendor risk assessment, subprocessor governance, and BAA tracking.
Risk Management
Risk methodology (5×5 L×I) and the live register of tracked risks.
Report a vulnerability
security@denialbase.com
We follow coordinated disclosure. Report suspected vulnerabilities to
security@denialbase.com — acknowledgement within 2 business days. PGP key available on request.Stay informed
Status page
Real-time availability, incident history, and planned maintenance windows.