Security and trust
How we protect client systems and patient data
This page documents the operating practices behind our healthcare engagements: what you control, what we control, and how PHI is handled. It is written to support a vendor security review. If your review needs more than what is here, email us the questionnaire.
Your code, your cloud
Production runs in your cloud account, under your billing, whether that is Azure, AWS, or Google Cloud. Repositories and pipelines can live there too. We hold access, not assets: when the engagement ends, you revoke access and keep everything.
PHI stays in production
Development and test environments run on synthetic data. No production exports, no PHI on developer machines. The rule is written down: production data does not leave production.
Paper before access
NDA before the first technical conversation if you want one. BAA signed before any work near PHI. Access is named, scoped per engagement, and revoked against a checklist at offboarding.
Engagements
How every engagement runs
Agreements before data
We work as a subcontractor business associate under HIPAA: the BAA is signed before PHI-adjacent work starts, not after. For products that handle EU personal data, the same rule applies through a data processing agreement. If you do not have templates, we bring drafts.
Access that maps to people
Named accounts, multi-factor authentication, least privilege, scoped per engagement. No shared logins and no standing admin rights.
Offboarding with a paper trail
When someone rolls off, access is revoked, confirmed, and dated against a checklist. The last step is telling you it happened.
Data
Where your data lives
Your account, your subscription
Production infrastructure sits in a cloud account you own. We work inside it with roles you grant and can revoke. Nothing about your production environment depends on an account we own.
Inherited attestations, labeled as such
The major clouds (Azure, AWS, Google Cloud) carry HIPAA, HITRUST, SOC 2, and ISO 27001 attestations at the infrastructure level. Those are the providers’ attestations, not ours. What is ours is how we operate inside that infrastructure, which is what this page documents.
Synthetic data in development
Development and test environments are built on generated data. PHI does not reach development environments or developer machines.
Delivery
Change control
Separated environments
Development, test, and production are separate environments with separate credentials. Production changes arrive only through the release pipeline, never from a developer machine.
Every change is attributable
Author, reviewer, build, and release time are on record for every production change. The full trail for any release can be reconstructed on request, which is what an audit asks for.
Deploy rights belong to pipelines
Production deployments run through pipeline identities with scoped permissions, behind release approvals. There is no standing human deploy access, and credentials live in managed vaults rather than code or pipeline definitions.
People
Workforce security
Confidentiality, on paper
Everyone who touches client work is under a confidentiality agreement. Every agreement is on file and current.
Endpoint standard
Workstations follow our endpoint baseline: full-disk encryption, screen lock, managed password manager, current OS patches.
Training that repeats
Security and HIPAA awareness training runs annually, aligned with the HIPAA workforce requirements we operate under as a business associate.
Risk
How we assess risk
Risk analysis on a published framework
Risk analysis follows NIST SP 800-66 Rev 2, the framework HHS points to for the HIPAA Security Rule. We run one per healthcare engagement and maintain it as a working document, not a one-time deliverable.
Incidents have an owner
Security incidents route to a named owner with a documented response path. If an incident touches your systems or your data, you hear it from us first.
Compliance is part of the engagement
HIPAA programs are part of how we deliver healthcare platforms: risk analysis under NIST SP 800-66 Rev 2, technical safeguards, audit logging, and the BAA chain across subprocessors. The compliance work ships with the product, not as a separate project.
If your platform needs HIPAA, GDPR, SOC 2, or ISO 27001 readiness, we bring that experience and a vetted vendor map: audit firms, compliance platforms, and penetration testing partners. You get the controls built into the codebase and the evidence trail your auditor asks for.
Common security review questions
Do you sign BAAs?
Yes, as a subcontractor business associate, before any PHI-adjacent work starts. If you do not have a BAA template, we bring a draft.
Do you have SOC 2 or ISO 27001?
Our security practices are documented on this page and in a security overview available on request. Most of our compliance work lives in client platforms: HIPAA programs, risk analysis under NIST SP 800-66 Rev 2, and the evidence trails their audits ask for. For engagements that require an independent attestation, we work with vetted audit partners and have that path scoped.
Who owns the code and the infrastructure?
You do. Production runs in a cloud account you own, the code lives in repositories you control or that transfer to you, and ending the engagement is an access revocation rather than a migration project.
Can your developers see patient data?
Development and test environments run on synthetic data, so day-to-day work never touches PHI. Production access exists only through roles you grant, on named accounts with multi-factor authentication, and is revoked at offboarding.
How do you handle GDPR and CCPA?
For products that touch EU or California personal data, we sign a data processing agreement and build the mechanics these laws expect: data minimization, consent records, and working paths for erasure, export, and opt-out. Data stays in your cloud account, in the regions you choose.
Do you use AI tools on client work?
Yes, for engineering productivity, under policies agreed with each client. PHI never goes into AI tools. Development environments hold no PHI, and production access policies do not change for tooling.
How do we run our security review?
Email the questionnaire to business@highcraft.io. A senior engineer answers it. Expect responses within two business days.
Running a vendor security review?
Email us the questionnaire. A senior engineer answers within two business days.