Security & Trust
Built so the only conversation is about care.
Moxcares handles PHI for clinics every day. Here's exactly how we keep it safe — and how we give your compliance officer everything they need to sign off in an afternoon.
HIPAA from day one
Every Moxcares plan ships with a signed Business Associate Agreement. PHI is segregated, access is logged, and every workflow is built around the minimum-necessary principle.
Encryption everywhere
AES-256 encryption at rest. TLS 1.3 in transit. Database, backups, and message payloads are encrypted end-to-end with managed keys on Google Cloud Platform.
Role-based access & MFA
Front desk, practitioners, and owners each see exactly what they need — nothing more. MFA is enforced for every staff account, and admins can revoke sessions instantly.
Tamper-evident audit trail you can hand to a compliance officer
Every view, edit, message, export, and administrative action is written to an append-only, cryptographically hash-chained audit log. Entries cannot be modified, deleted, back-dated, or overwritten by any user, administrator, or internal service — by design. The log is retained for the full HIPAA-required period, integrity-verifiable on demand, and exportable in full for your compliance officer or auditor.
Consent enforced at send time
Patients opt in before a single SMS is sent. Stop and reply-stop keywords are honored automatically. Consent state travels with every message.
Data ownership and portability
Your clinic's data is yours. Export everything as CSV at any time. We don't train AI models on your PHI, and we never sell or share patient data.
Certifications & posture
The short version for your compliance team
Proactive by design
Stringent from day one — not bolted on after an audit.
We built Moxcares under HIPAA-grade design protocols from the first commit. Least-privilege access, defense-in-depth, cryptographic integrity controls, and secure-software-development lifecycle (SSDLC) practices are enforced across engineering — not added retroactively for a certification.
That includes the details that get missed at most vendors: audit records are append-only and cryptographically chained, so entries cannot be altered, deleted, back-dated, or tampered with by any user or administrator — a control aligned with HIPAA §164.312(b) (audit controls) and §164.312(c)(1) (integrity of ePHI). Backups are immutable and encrypted with independently managed keys, secrets are rotated and scoped per service, production access is MFA-gated and fully attributable, and every change is peer-reviewed and logged.
The result: when your compliance officer asks the hard questions — "who touched this record, when, and can I prove it hasn't been altered?" — the answer is on one screen, with cryptographic evidence behind it.
Want the full security review packet?
We'll send our SOC 2 progress report, sub-processor list, and a draft BAA for your counsel to review.
Request security packet