Healthcare demands the highest standard of data protection. Our platform is built with HIPAA-first architecture — security is foundational, not bolted on.
Governance
Our policies are based on the following foundational principles:
Access is limited to those with a legitimate business need, granted on the principle of least privilege.
Security controls are implemented and layered according to the principle of defense-in-depth.
Security controls are applied consistently across all areas of the enterprise.
Controls are iterative — continuously maturing across effectiveness, auditability, and reduced friction.
Intelligent One maintains HIPAA compliance across all products and infrastructure. We execute Business Associate Agreements (BAAs) with all healthcare practice clients and with upstream vendors that process protected health information. Our compliance program is managed through Vanta with continuous monitoring.
All datastores containing clinical and customer data are encrypted at rest using AES-256. This includes Azure managed disks, Azure Storage accounts, Azure Database for PostgreSQL (Transparent Data Encryption), and Azure Cache for Redis. Sensitive fields receive additional application-level encryption before reaching the database.
Intelligent One uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks, including all API calls to Azure OpenAI services. We enforce HSTS (HTTP Strict Transport Security) to maximize the security of data in transit. Server TLS certificates are managed by Azure and deployed via Azure Front Door and App Service.
Encryption keys and application secrets are managed via Azure Key Vault, which stores key material in FIPS 140-2 validated Hardware Security Modules (HSMs). No individual has direct access to key material. All credentials, API keys, and connection strings are stored exclusively in Key Vault with strict RBAC access policies and audit logging.
Protected Health Information (PHI) is processed in real time and is not retained beyond the active clinical session unless explicitly configured by the practice. PHI is never used for marketing, advertising, model training, or any purpose unrelated to clinical services. PHI is never sold to third parties.
All production infrastructure runs on Microsoft Azure with SOC 2 Type II and HIPAA-compliant data centers. We use Azure Container Apps for application workloads with network isolation via Virtual Networks and Network Security Groups. All virtual machines run hardened configurations with no default accounts or passwords, and security patches are applied as soon as they become available.
Azure Monitor and Azure Alerts provide real-time monitoring across all production resources. Full audit logging captures all data access, configuration changes, and system operations. Activity logs are retained for compliance and incident investigation purposes. Alerts are configured for anomalous activity and security events.
Production networks are segmented using Azure Virtual Networks and subnets. Network Security Groups enforce strict inbound and outbound traffic rules, limiting access to only authorized services and ports. All management of network rules is performed by authorized members of the Engineering team through change management procedures. Remote access sessions enforce a 2-hour timeout policy.
Intelligent One uses Azure Active Directory for identity and access management with role-based access control (RBAC) enforced across all resources. Multi-Factor Authentication (MFA) is required for all production access. Employees are granted access based on their role and the principle of least privilege, and access is promptly revoked upon termination.
Intelligent One uses a risk-based approach to vendor security. All vendors with access to clinical or customer data are evaluated for security posture and are required to execute Business Associate Agreements where PHI is involved. Vendor access to production systems is enabled only when needed and deactivated immediately after use.
All corporate devices are managed through Microsoft Intune with enforced security configurations including disk encryption, screen lock policies, and automatic software updates. Windows 365 Cloud PCs provide secure, encrypted virtual desktops for team members with centralized management and compliance monitoring.
All employees receive comprehensive security and HIPAA compliance training upon onboarding and on an ongoing basis. Employment and contractor agreements include confidentiality, non-disclosure, and information security obligations. Security awareness is reinforced through regular team communications and policy updates.
At Intelligent One, data privacy is a first-class priority. As a healthcare technology company, we hold ourselves to the highest standard of stewardship over clinical and patient data.
Intelligent One operates as a Business Associate under HIPAA. We maintain BAAs with all healthcare practice clients and with upstream vendors that handle PHI. Our compliance program includes continuous monitoring, policy enforcement, and regular audits managed through Vanta.
Clinical data is processed in real time and not retained beyond the active session unless the practice explicitly configures persistent storage. Account information is retained for the duration of the service agreement. Upon termination, all data is deleted within 30 days unless retention is required by law.
If you have questions about our security practices or need to report a vulnerability, contact our team.
info@intelligentone.ai