IntakeFlowIntakeFlow
Book Demo
Security posture

Security, not by accident.

How we protect your organization’s data and your clients’ information. Encryption, audit logging, breach notification, and every control that sits behind the workspace.

Built for HIPAA

Engineered against the HIPAA Privacy, Security, and Breach Notification Rules. BAA signed with every customer, and with every cloud sub-processor that touches PHI.

Encrypted at Rest

All Protected Health Information is encrypted with AES-256, the industry standard for healthcare data at rest. Managed keys rotate automatically.

Encrypted in Transit

Every byte between your browser and our servers moves over TLS 1.2 or higher. HSTS enforced. Legacy protocols disabled.

Automatic Session Timeout

Sessions expire after 15 minutes of inactivity, matching HIPAA’s automatic-logoff requirement. Re-authentication is one click.

Audit Logging

Every PHI access is logged: who viewed, created, modified, signed, or exported patient data, with timestamps and source IP.

Facility Isolation

Each agency sees only its own data. Row Level Security enforces the boundary at the database layer, not just in the app code.

Under the hood

Controls that earn the trust, not just claim it.

The administrative, technical, and physical safeguards behind IntakeFlow. plain-language, no buzzword padding.

01 Infrastructure

  • Hosted on SOC 2 Type II and ISO 27001 certified cloud infrastructure. Full sub-processor list is delivered to customers as Schedule A of the signed Business Associate Agreement.
  • Database encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Automatic backups with point-in-time recovery
  • DDoS protection and rate limiting on all endpoints
  • No PHI stored in browser localStorage or sessionStorage
  • Inbound and outbound fax traffic is routed through a HIPAA-compliant fax provider under a signed Business Associate Agreement. PDFs transit encrypted and are stored with AES-256 at rest.
  • All sub-processors operate under signed Business Associate Agreements where applicable

02 Access Controls

  • Three-tier role-based access control (Super Admin, Administrator, Coordinator)
  • Secure authentication with session cookies, covered by a signed BAA
  • Multi-factor authentication (MFA) available for all roles
  • Forced password change on first login for onboarded accounts
  • Security headers: HSTS, X-Frame-Options DENY, Content-Security-Policy, X-Content-Type-Options
  • API input validation and sanitization on all endpoints
  • Remote signing links expire after 72 hours

03 E-Signature Security

  • Signatures captured as encrypted image data
  • Each signature includes SHA-256 tamper-evident hash, timestamp, IP address, and user agent
  • Explicit ESIGN Act consent captured before each signature
  • Witness countersignature required for all remotely signed documents
  • Complete audit trail from signature request to completion
  • Compliant with the federal ESIGN Act (15 U.S.C. § 7001) and Uniform Electronic Transactions Act (UETA)

04 Breach Notification

In the event of a breach involving unsecured PHI, Sigla LLC will:

  • Notify affected covered entities within 24 hours of discovery
  • Cooperate with breach investigation and mitigation
  • Assist with individual and HHS notifications as required by HIPAA
  • Provide a detailed incident report including scope, cause, and remediation

05 Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to contact@intakeflow.cc. We ask that you:

  • Do not access or modify data belonging to other users
  • Do not perform denial-of-service attacks
  • Allow reasonable time for remediation before public disclosure

06 Security Disclaimer

While we implement industry-standard administrative, technical, and physical safeguards designed to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. We continuously monitor, test, and improve our security posture, but we encourage you to take appropriate steps to protect your credentials and report any suspected vulnerabilities immediately.

07 Contact

Security Team · Sigla LLC

Email: contact@intakeflow.cc

Address:
Sigla LLC
8401 Mayland Dr, Ste A
Richmond, VA 23294

Signed BAA, plain contract

Every customer onboards with a signed BAAand a clear agreement of what we do and don’t do with your data.

Read our BAARequest a demo