How we protect your organization’s data and your clients’ information. Encryption, audit logging, breach notification, and every control that sits behind the workspace.
Built for HIPAA
Engineered against the HIPAA Privacy, Security, and Breach Notification Rules. Reviewed yearly. Workforce training program in place before PHI access. BAAs in place across the stack.
Encrypted at Rest
All Protected Health Information is encrypted with AES-256, the industry standard for healthcare data at rest. Managed keys rotate automatically.
Encrypted in Transit
Every byte between your browser and our servers moves over TLS 1.2 or higher. HSTS enforced. Legacy protocols disabled.
Automatic Session Timeout
Sessions expire after 15 minutes of inactivity, matching HIPAA’s automatic-logoff requirement. Re-authentication is one click.
Audit Logging
Every PHI access is logged: who viewed, created, modified, or exported patient data, with timestamps and source IP.
Facility Isolation
Each agency sees only its own data. Row-Level Security enforces the boundary at the database layer, not just in the app code.
Under the hood
Controls that earn the trust, not just claim it.
The administrative, technical, and physical safeguards behind IntakeFlow. plain-language, no buzzword padding.
01Infrastructure
Hosted on SOC 2 Type II and ISO 27001 certified cloud infrastructure. Full sub-processor list is delivered to customers as Schedule A of the signed Business Associate Agreement.
Database encrypted at rest (AES-256) and in transit (TLS 1.2+)
Automatic backups with point-in-time recovery
DDoS protection and rate limiting on all endpoints
No PHI stored in browser localStorage or sessionStorage
Inbound and outbound fax traffic is routed through a HIPAA-compliant fax provider under a signed Business Associate Agreement. PDFs transit encrypted and are stored with AES-256 at rest.
Real-time insurance eligibility verification is delivered through a HIPAA-covered X12 EDI clearinghouse subprocessor under a signed Business Associate Agreement. The X12 270 inquiry transits over TLS 1.2+ and carries only the minimum necessary identifiers (subscriber name, date of birth, member ID or SSN for MBI lookup, rendering provider NPI). No clinical, diagnostic, medication, or visit data is sent in the 270 payload. Destinations are limited to the patient’s payer (commercial, Medicare Advantage, or Medicaid MCO) or to the CMS HETS endpoint for Medicare fee-for-service and MBI lookup. The 271 response is written back into the customer’s eligibility record on the Service. The current named clearinghouse is disclosed to customers on request as part of the Schedule A subprocessor list.
All sub-processors operate under signed Business Associate Agreements where applicable
02Access Controls
Three-tier role-based access control (Super Admin, Administrator, Coordinator)
Secure authentication with session cookies, covered by a signed BAA
Multi-factor authentication (MFA) available for all roles
Forced password change on first login for onboarded accounts
API input validation and sanitization on all endpoints
03Breach Notification
In the event of a breach involving unsecured PHI, Sigla LLC will:
Notify affected covered entities within 24 hours of discovery
Cooperate with breach investigation and mitigation
Assist with individual and HHS notifications as required by HIPAA
Provide a detailed incident report including scope, cause, and remediation
04Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly to contact@intakeflow.cc. We ask that you:
Do not access or modify data belonging to other users
Do not perform denial-of-service attacks
Allow reasonable time for remediation before public disclosure
05Security Disclaimer
While we implement industry-standard administrative, technical, and physical safeguards designed to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. We continuously monitor, test, and improve our security posture, but we encourage you to take appropriate steps to protect your credentials and report any suspected vulnerabilities immediately.
