T
TurboPA

Security & compliance

TurboPA is built from the ground up to protect patient data. We meet or exceed every control required by HIPAA, SOC 2, NIST 800-53, and HITRUST — and we're happy to walk you through the details.

Compliance frameworks we align to

Our controls are mapped across the major healthcare and enterprise security frameworks. We can provide detailed control mapping documentation upon request.

HIPAA

Full compliance with the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.

  • Administrative, technical, and physical safeguards
  • Business Associate Agreements available
  • Workforce access management and termination procedures
  • Security incident response and breach notification
  • Regular risk assessments and remediation tracking

SOC 2 Type II

Controls mapped to SOC 2 Trust Service Criteria across all five categories.

  • Security — logical and physical access controls
  • Availability — uptime monitoring and redundancy
  • Processing Integrity — data accuracy and completeness
  • Confidentiality — encryption and data classification
  • Privacy — data collection, use, retention, and disposal

NIST 800-53

Security and privacy controls aligned to NIST Special Publication 800-53 Rev. 5.

  • Access control (AC) — least privilege, separation of duties
  • Audit and accountability (AU) — tamper-resistant logging
  • Identification and authentication (IA) — MFA, credential management
  • System and communications protection (SC) — encryption, boundary defense
  • Incident response (IR) — documented response plans and procedures

HITRUST CSF

Controls mapped to the HITRUST Common Security Framework for healthcare organizations.

  • Information protection program governance
  • Endpoint and mobile device security
  • Portable media and asset management
  • Third-party assurance and vendor management
  • Data protection and privacy controls

How we protect your data

Defense in depth across every layer — infrastructure, application, data, and operations.

Encryption at rest and in transit

All data is encrypted using AES-256 at rest and TLS 1.2+ in transit. Database connections, file storage, and internal service communication are all encrypted by default.

Tenant data isolation

Each organization's data is logically isolated at the database layer. Row-level enforcement ensures that queries are always scoped — no organization can access another's records.

Role-based access control

Granular permission levels control who can create, view, edit, submit, and delete records. Administrators manage team membership and organizational settings.

Multi-factor authentication

Time-based one-time password (TOTP) MFA is available for all users. Administrators can enforce MFA organization-wide to meet compliance requirements.

Immutable audit trail

Every data access and modification is recorded with user identity, timestamp, action type, and change details. Audit logs are tamper-resistant and available for compliance review.

Secure credential management

Passwords are salted and hashed using industry-standard adaptive algorithms. Sessions are cryptographically signed with automatic expiration. No plaintext credentials are ever stored.

Application-layer defense

All inputs are validated and sanitized before processing. Parameterized queries prevent injection attacks. Security headers protect against cross-site scripting and clickjacking.

HIPAA-eligible cloud infrastructure

All infrastructure runs on HIPAA-eligible cloud services covered under the provider's Business Associate Agreement. Data residency is maintained within the United States.

Operational security controls

Security is not just technical — it extends to our people, processes, and organizational practices.

  • Documented incident response plan with defined roles and escalation procedures
  • Regular vulnerability scanning and penetration testing
  • Automated dependency monitoring and security patch management
  • Principle of least privilege enforced across all systems and personnel
  • Employee security awareness training and acceptable use policies
  • Change management procedures with peer review requirements
  • Data backup and disaster recovery with defined RPO/RTO targets
  • Vendor and third-party risk assessment program
  • Annual security risk assessments with documented remediation plans
  • Secure software development lifecycle (SSDLC) practices

Questions about our security posture?

We're happy to share detailed control documentation, discuss BAA requirements, or walk through our security architecture with your compliance team.

Contact our security teamView plans