intakeflowBack to home

Security

How we protect your facility's data and your patients' information.

HIPAA Compliant

Built from the ground up to meet HIPAA Privacy, Security, and Breach Notification Rules. BAAs available for all customers.

Encryption at Rest

All Protected Health Information (PHI) is encrypted using AES-256, the industry standard for healthcare data at rest.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. No exceptions.

Automatic Session Timeout

Sessions automatically expire after 15 minutes of inactivity, as required by HIPAA security standards.

Audit Logging

Every access to PHI is logged — who viewed, created, modified, signed, or exported patient data, with timestamps.

Facility Isolation

Multi-tenant architecture with row-level security (RLS) ensures facilities can only access their own data.

Infrastructure

  • Hosted on SOC 2 Type II certified cloud infrastructure
  • Database hosted on Supabase with built-in PostgreSQL encryption
  • Automatic backups with point-in-time recovery
  • DDoS protection and rate limiting on all endpoints
  • No PHI stored in browser localStorage or sessionStorage

Access Controls

  • Role-based access: admin vs. staff permissions per facility
  • Secure authentication via Supabase Auth with password hashing (bcrypt)
  • CSRF protection on all form submissions
  • Security headers: HSTS, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy
  • API input validation and sanitization on all endpoints
  • Remote signing links expire after 72 hours

E-Signature Security

  • Signatures captured as encrypted image data (PNG)
  • Each signature includes timestamp and signer identification
  • Witness countersign required for all remotely signed documents
  • Complete audit trail from signature request to completion
  • Compliant with ESIGN Act and Uniform Electronic Transactions Act (UETA)

Breach Notification

In the event of a breach involving unsecured PHI, Sigla LLC will:

  • Notify affected covered entities within 24 hours of discovery
  • Cooperate with breach investigation and mitigation
  • Assist with individual and HHS notifications as required by HIPAA
  • Provide a detailed incident report including scope, cause, and remediation

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to contact@siglallc.com. We ask that you:

  • Do not access or modify data belonging to other users
  • Do not perform denial-of-service attacks
  • Allow reasonable time for remediation before public disclosure

Contact

Security Team — Sigla LLC

Email: contact@siglallc.com