SmartFlowCraftSmartFlowCraftHealth
Book a demo
Security & Compliance

Security by architecture, not promise.

SmartFlowCraft Health achieves HIPAA eligibility by ensuring patient data never reaches our infrastructure — not through policy, but through architecture.

HIPAA-eligible architecture
AWS · Azure · GCP BAA-covered
PHI never exits client cloud
The Principle

Zero PHI in our infrastructure.

Under HIPAA, a Business Associate is any entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. SmartFlowCraft Health is not a Business Associate because PHI never reaches our servers.

The platform deploys entirely inside your cloud account. Our API receives only opaque identifiers and workflow metadata — never names, diagnoses, scan content, notes, or any patient-identifiable field. The input_schema of every template enforces this boundary with additionalProperties: false — unknown fields are rejected at the engine level.

Your compliance boundary is the BAA you hold with your cloud provider. We never enter that boundary.

Cloud-Native BAAs

Your cloud provider signs your BAA.

AWS

AWS Business Associate Addendum

Accepted by clicking in the AWS console. Covers Bedrock, RDS, S3, ECS, and all services used in the deployment.

Azure

Microsoft HIPAA BAA

Included in the Microsoft Products and Services Agreement (MPSA) and Enterprise Agreement. Covers Azure OpenAI, PostgreSQL, Container Apps.

GCP

Google Cloud HIPAA BAA

Included via the HIPAA Implementation Guide. Covers Cloud SQL, Vertex AI, Cloud Run, Cloud Storage.

Encryption & Access Control

Encrypted at rest. Encrypted in transit.

At rest

Cloud-native KMS — AWS KMS, Azure Key Vault, GCP Cloud KMS. All databases and object storage encrypted.

In transit

TLS 1.2 minimum on all connections. Client → SmartFlowCraft API enforced via HSTS.

Access control

IAM roles with least-privilege policies deployed via IaC. No shared credentials, no IAM users.

Audit logging

CloudTrail / Azure Monitor / Cloud Audit Logs capture every PHI-adjacent action. Immutable, long-retention.

Network isolation

Application tier and database tier separated by subnet. All inter-service traffic private, no public DB endpoints.

Secrets management

All secrets via AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. Never in environment variables or config files.

Sub-Processors

Every service, in scope.

Sub-processorPurposePHI exposureCloud
VercelControl plane hostingNoAll
RailwayAPI runtimeNoAll
SupabaseTenant metadataNoAll
AWS (client)Application runtime, database, storage, Bedrock LLMYes — in client accountAWS
Azure (client)Application runtime, database, storage, Azure OpenAIYes — in client accountAzure
GCP (client)Application runtime, database, storage, Vertex AIYes — in client accountGCP
Security Contact

Questions about our security posture?

Enterprise buyers are welcome to request our security documentation package, penetration test reports, and completed vendor questionnaires.

security@smartflowcraft.com