HIPAA Compliance — Structural, Not Checkbox
Okrana is architected as a HIPAA Business Associate from the ground up. Every plan includes a signed Business Associate Agreement before login. We don't offer a "compliant tier" — every account operates under the same legal and technical framework.
- ✓BAA signed before any user accesses the workspace
- ✓Minimum-necessary access enforced at the database row level
- ✓Workforce access controls — each user scoped to their practice only
- ✓Breach notification procedures documented and tested
- ✓45 C.F.R. § 164 Technical Safeguards implemented across all components
Private Azure OpenAI — No Shared Models
AI queries are routed to a private Azure OpenAI deployment, not the shared public API. Your prompts and responses are isolated within your tenant. Microsoft processes inference under a data processing agreement that explicitly prohibits training on customer data.
- ✓Private Azure deployment — your data never touches shared API endpoints
- ✓US-only data residency — no cross-border data transfers
- ✓Zero retention policy — Microsoft does not log or store your prompts
- ✓Not used for model training by Microsoft or Okrana
- ✓API key stored in Supabase Vault — never exposed to the browser
AES-256 at Rest, TLS in Transit
All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Database credentials, API keys, and service secrets are stored in an isolated vault — never in environment variables accessible to application code at runtime.
- ✓AES-256 encryption for all data at rest
- ✓TLS 1.2+ enforced for all client connections
- ✓Supabase Vault for secret storage — secrets not exposed in code or logs
- ✓HTTPS enforced at the edge — HTTP connections rejected
- ✓Signed cookies with HttpOnly and SameSite=Lax flags
Row-Level Security — Tenants Are Hard Walls
Every database query is scoped to the authenticated user's tenant by PostgreSQL Row Level Security policies. A user in Practice A cannot read, write, or even confirm the existence of data in Practice B. These policies are enforced at the database engine — not in application code.
- ✓PostgreSQL RLS on every table — enforced by the database, not app logic
- ✓Tenant isolation: cross-tenant data access is structurally impossible
- ✓Role-based policies: admin vs. member access enforced at row level
- ✓Session validation via Supabase Auth server — not localStorage tokens
- ✓Service-role client used only server-side — never exposed to the browser
Full Audit Trail on Every Action
Every AI query, BAA signing event, and administrative action is written to an append-only audit log with the user's ID, tenant, timestamp, and IP address. Logs are retained for 6 years per HIPAA requirements and are accessible to practice administrators.
- ✓Audit log for every chat interaction — user, tokens, model, timestamp
- ✓BAA signing events logged with IP address and signed_at timestamp
- ✓Admin-read-only audit table — no user INSERT policy on audit_log
- ✓6-year retention per 45 C.F.R. § 164.530(j)
- ✓Logs written via service role — cannot be modified by application users
SOC 2 Alignment
Okrana's security controls are designed to align with SOC 2 Trust Services Criteria across Security, Availability, and Confidentiality. Our infrastructure providers (Supabase, Microsoft Azure, Vercel) maintain their own SOC 2 Type II certifications.
- ✓Security (CC6): Logical access, encryption, monitoring
- ✓Availability (A1): Uptime SLA, redundant infrastructure
- ✓Confidentiality (C1): Data classification, access restrictions
- ✓Microsoft Azure: SOC 2 Type II certified
- ✓Supabase: SOC 2 Type II certified
Security FAQ
Have a specific compliance question?
We'll walk through your practice's requirements on a call — no sales pitch, just answers.