Trust & Compliance

Cope Compass meets healthcare compliance standards. Your data is encrypted, access is audited, and providers sign a BAA before seeing any patient information.

HIPAACompliant
NISTSP 800-66
BAAIncluded
TLS 1.3Encrypted
CCPACompliant

Privacy Officer, Cope Compass · [email protected]

Security Controls

HIPAA Compliant
Full compliance with the Health Insurance Portability and Accountability Act. All technical, physical, and administrative safeguards are in place.
Encryption in Transit
All data transmitted between your device and our servers is encrypted using TLS 1.3. API connections enforce HTTPS with HSTS preloading.
Encryption at Rest
Database connections require SSL. Infrastructure hosted on Railway with managed PostgreSQL encryption. Sensitive fields follow NIST guidelines.
Audit Logging
Every access to patient data is logged with accessor identity, patient ID, endpoint, IP address, and timestamp. Logs are immutable and retained indefinitely.
Consent-Based Access
Providers can only view patient data after the patient explicitly grants consent in-app. Patients can revoke access at any time, immediately.
Business Associate Agreement
Every provider signs a BAA before accessing any patient data. Digital signature with IP address, timestamp, and version tracking.
Rate Limiting
Authentication endpoints are rate-limited to prevent brute force attacks. Login: 5 attempts per 15 minutes. Signup: 3 per hour per IP.
Right to Access & Delete
Users can export all their data at any time (HIPAA right to access). Full account deletion is available — your data is yours.

Full compliance documentation — including our risk assessment, BAA template, breach notification procedure, and 7 additional policy documents — is available on request.

Request documentation →

Your Rights

Access all your data
Export your data anytime
Delete your account
Revoke provider access
See who viewed your data
Request data amendment
Restrict data use
File a complaint with HHS

Infrastructure

Hosting: Railway (US region, SOC 2 Type II compliant infrastructure)

Database: PostgreSQL with SSL-enforced connections

CDN/DNS: Cloudflare (enterprise-grade DDoS protection)

Email: Resend (verified domain, DKIM + SPF + DMARC)

Authentication: JWT with token rotation, bcrypt password hashing

Last updated: April 4, 2026 · Assessment version 1.0