Security & Compliance

Built for practices that can't afford a breach.

Every component of Okrana is designed around HIPAA compliance and data isolation — not bolted on after the fact. Here's exactly how your data is protected.

HIPAA BAA IncludedAES-256 EncryptionZero AI Data RetentionPrivate Azure DeploymentSOC 2 Aligned
HIPAA

HIPAA Compliance — Structural, Not Checkbox

Okrana is architected as a HIPAA Business Associate from the ground up. Every plan includes a signed Business Associate Agreement before login. We don't offer a "compliant tier" — every account operates under the same legal and technical framework.

  • BAA signed before any user accesses the workspace
  • Minimum-necessary access enforced at the database row level
  • Workforce access controls — each user scoped to their practice only
  • Breach notification procedures documented and tested
  • 45 C.F.R. § 164 Technical Safeguards implemented across all components
AI Infrastructure

Private Azure OpenAI — No Shared Models

AI queries are routed to a private Azure OpenAI deployment, not the shared public API. Your prompts and responses are isolated within your tenant. Microsoft processes inference under a data processing agreement that explicitly prohibits training on customer data.

  • Private Azure deployment — your data never touches shared API endpoints
  • US-only data residency — no cross-border data transfers
  • Zero retention policy — Microsoft does not log or store your prompts
  • Not used for model training by Microsoft or Okrana
  • API key stored in Supabase Vault — never exposed to the browser
Encryption

AES-256 at Rest, TLS in Transit

All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Database credentials, API keys, and service secrets are stored in an isolated vault — never in environment variables accessible to application code at runtime.

  • AES-256 encryption for all data at rest
  • TLS 1.2+ enforced for all client connections
  • Supabase Vault for secret storage — secrets not exposed in code or logs
  • HTTPS enforced at the edge — HTTP connections rejected
  • Signed cookies with HttpOnly and SameSite=Lax flags
Access Control

Row-Level Security — Tenants Are Hard Walls

Every database query is scoped to the authenticated user's tenant by PostgreSQL Row Level Security policies. A user in Practice A cannot read, write, or even confirm the existence of data in Practice B. These policies are enforced at the database engine — not in application code.

  • PostgreSQL RLS on every table — enforced by the database, not app logic
  • Tenant isolation: cross-tenant data access is structurally impossible
  • Role-based policies: admin vs. member access enforced at row level
  • Session validation via Supabase Auth server — not localStorage tokens
  • Service-role client used only server-side — never exposed to the browser
Audit Logging

Full Audit Trail on Every Action

Every AI query, BAA signing event, and administrative action is written to an append-only audit log with the user's ID, tenant, timestamp, and IP address. Logs are retained for 6 years per HIPAA requirements and are accessible to practice administrators.

  • Audit log for every chat interaction — user, tokens, model, timestamp
  • BAA signing events logged with IP address and signed_at timestamp
  • Admin-read-only audit table — no user INSERT policy on audit_log
  • 6-year retention per 45 C.F.R. § 164.530(j)
  • Logs written via service role — cannot be modified by application users
SOC 2

SOC 2 Alignment

Okrana's security controls are designed to align with SOC 2 Trust Services Criteria across Security, Availability, and Confidentiality. Our infrastructure providers (Supabase, Microsoft Azure, Vercel) maintain their own SOC 2 Type II certifications.

  • Security (CC6): Logical access, encryption, monitoring
  • Availability (A1): Uptime SLA, redundant infrastructure
  • Confidentiality (C1): Data classification, access restrictions
  • Microsoft Azure: SOC 2 Type II certified
  • Supabase: SOC 2 Type II certified
Common questions

Security FAQ

Can Okrana employees read my patient notes or client files?
No. AI conversations are not logged or stored on Okrana servers. Notes entered into the workspace are processed in your isolated Azure instance and discarded at session end. Okrana staff have no access to conversation content.
What happens to data if I cancel?
Account data is retained for 90 days after cancellation, then permanently deleted. Audit logs are retained for 6 years per HIPAA requirements. You may request an export of your account data at any time.
Is the BAA a real, enforceable agreement?
Yes. The BAA is a legally binding agreement executed between your practice (Covered Entity) and Okrana, Inc. (Business Associate). It is signed electronically with your email as the authorizing credential, with the IP address and timestamp recorded.
Does Okrana use our data to train AI models?
No. Okrana does not train models. The underlying Azure OpenAI model does not train on customer data — this is governed by our agreement with Microsoft. Your prompts and responses are used solely to generate the response you receive.
What do I do if I suspect a breach?
Contact hello@okrana.com immediately. We will begin breach assessment per our documented procedures and notify you within the timeframe required by the BAA and 45 C.F.R. § 164.410.

Have a specific compliance question?

We'll walk through your practice's requirements on a call — no sales pitch, just answers.

Email hello@okrana.comBook a compliance review →