Security at Jaxson

How we protect patient data and keep your practice on the right side of HIPAA.

HIPAA-Aligned. BAA Available Day One.

Jaxson operates as a Business Associate under HIPAA. We sign a Business Associate Agreement with every practice before any patient data touches our system — no exceptions, no add-on tiers.

Our Commitments to Your Practice

  • Breach notification within 30 days. If we discover a breach of unsecured PHI, we notify your practice in writing within 30 calendar days of discovery — stricter than HIPAA's 60-day statutory ceiling. Notices include all five ยง164.404(c) content elements so your practice can meet its own downstream duties without redrafting.
  • Your data stays in the United States. Primary infrastructure and data residency are anchored in a single U.S. region. No cross-border replication.
  • Deletion on request. When you offboard, we permanently delete every copy of your active data — documents, chat history, and everything built to search them. The only records we keep are those HIPAA legally requires us to retain (for example, six-year audit logs), and those never include document contents, chat messages, or patient information.
  • Minimum necessary data. We only store the PHI your team uploads for the features you actually use. We don't collect more than we need.

Who Can Access Your Data

  • Your team. The users you authorize within your practice. No one from another practice can see or reach your data — access is verified on every request, not just by the app's interface.
  • A small number of Jaxson engineers. Access to production systems is least-privilege and role-based. Administrative access to anything holding PHI requires multi-factor authentication, and every access is logged.
  • AWS, under a signed BAA. Our cloud provider, covered by AWS's standard Business Associate Addendum. No AWS personnel have routine access to unencrypted customer data.
  • Google Workspace APIs, under your practice's own Google BAA. When you connect Google Drive, Docs, Sheets, or Slides, Jaxson reads those files under the BAA your practice holds directly with Google. Jaxson never extracts PHI outside that boundary.
  • Microsoft 365 APIs (Microsoft Graph), under your practice's own Microsoft BAA. When you connect OneDrive, SharePoint, or Teams files, Jaxson reads those files under the BAA your practice holds directly with Microsoft. Jaxson never extracts PHI outside that boundary.

No third-party analytics, marketing, or AI-training vendors touch patient data.

How Your Data Is Protected

  • Encrypted in transit. TLS 1.2 or higher on every connection. No plaintext endpoints anywhere.
  • Encrypted at rest. AWS Key Management Service encryption on everything we store — documents, databases, search indexes, and logs.
  • Organization-scoped access. Every request carries a verified organization credential. A stolen token can't reach another practice's data.
  • No PHI in logs, ever. Our logs capture identifiers, counts, and operational metrics only. Patient names, clinical notes, chat messages, and document contents are never written to logs — enforced in code and blocked automatically before any change ships.

Continuous Verification

  • Daily HIPAA compliance scans against our live infrastructure. High- and critical-severity findings alert the team immediately.
  • Dependency and code scanning on every change, catching known vulnerabilities and leaked credentials before anything reaches production.
  • Least-privilege access permissions with no broad wildcards on systems holding patient data. Misconfigurations fail the deployment automatically — they can't reach production.

Security Questionnaires & Documentation

If your DSO, practice IT director, or legal team needs a completed security questionnaire, a copy of our standard BAA, our breach-notification policy, or supporting documentation for a procurement review, contact us and we'll respond within one business day.