Security & Trust

PHI is sacred. Compliance is operational.

Defense-in-depth security model — independently audited, continuously monitored, mapped to HIPAA, SOC 2 Type II, HITRUST CSF r2, and the ONC Cures Update. Every audit log exportable. Every sub-processor public. Every breach disclosure baked into the contract before you sign.

▲ Certifications & attestations
H

HIPAA

BAA included on every plan. Annual third-party assessment.

2

SOC 2 Type II

Audited annually by Schellman. Report on request.

O

ONC Certified

2015 Edition Cures Update. Full criteria list public.

T

HITRUST CSF

r2 certified. Mapped to HIPAA, NIST, ISO 27001.

How we protect PHI

Four pillars, continuously verified.

Encryption

AES-256 at rest, TLS 1.3 in transit, field-level envelope encryption for the most sensitive data.

  • Customer-managed keys (Enterprise)
  • Key rotation every 90 days
  • HSM-backed root keys
  • Database-level encryption + per-tenant keys

Access control

Zero-trust by default. Every request authenticated, every action logged, every role minimized.

  • SSO / SAML / SCIM (Enterprise)
  • Mandatory 2FA for all admins
  • Role-based access with break-glass
  • Full audit log, exportable to your SIEM

Infrastructure

Multi-region active-active on AWS. Redundancy at every layer, recovery measured in minutes.

  • RPO 5 min · RTO 30 min
  • Daily encrypted backups, 7-year retention
  • Quarterly disaster recovery drills
  • 99.99% uptime SLA on Enterprise

Operational

Background-checked staff, principle-of-least-privilege, public security disclosure program.

  • Background checks for every employee
  • Annual HIPAA + security training
  • Public bug-bounty program (HackerOne)
  • 24/7 security operations center

AI & data privacy

Your data is never used to train models without explicit, written, opt-in consent.

  • Audio deleted 30 days post-signature
  • De-identified telemetry only by default
  • No model training on PHI, full stop
  • Per-tenant data residency (Enterprise)

Compliance

Independently audited and continuously monitored against the standards that matter.

  • HIPAA Privacy & Security Rule
  • SOC 2 Type II (annual)
  • HITRUST CSF r2 certified
  • 21st Century Cures Act information blocking
Trust center

Receipts, on request.

Reviewing Focus for your compliance team? We make it easy. Sign an NDA and you'll have access to our SOC 2 report, penetration test summaries, sub-processor list, and architecture diagrams within an hour.

Request trust packet →Public sub-processor list
Available under NDA
  • SOC 2 Type II report (2025)PDF · 84p
  • Penetration test summary (Q3 2025)PDF · 12p
  • HITRUST r2 letter of certificationPDF · 2p
  • Architecture & data flow diagramsPDF · 18p
  • Business continuity / DR planPDF · 24p

Got a security question we didn't answer here?

Email security@focusehr.com — a real human on our security team will respond within one business day.

Talk to security →Report a vulnerability