Security
Built for regulated work from day one.
Compliance isn't a flag we toggle later — it's three layers of tenant isolation, a cryptographic audit chain, agent-level data scrubbing, and continuous monitoring. Here's the receipt.
TLS 1.3 in transit
HSTS enforced. No TLS < 1.2 ever.
AES-256 at rest
Postgres TDE + S3 SSE-KMS. Field-level encryption (libsodium / AWS KMS) on rates, compensation, PHI fields.
3-layer tenant isolation
Supabase Auth → Postgres RLS → Neo4j tenantId. Defense in depth on every query.
Audit log with hash chain
Append-only, app role lacks UPDATE/DELETE, SHA-256 chain detects tampering. 21 CFR Part 11-ready.
Provenance on every fact
Every UI fact carries a source URL. Unattributed facts fail review. Non-negotiable.
Continuous compliance
Vanta-style monitoring across 100+ controls. Annual third-party penetration test.
Sub-processor DPAs
Every vendor with PHI exposure has a BAA. Zero-retention agreements with Anthropic + OpenAI.
Incident response
24/7 on-call for P0/P1. GDPR 72h, HIPAA 60d notifications. Quarterly drills.
SOC 2 Type II
In observation. Full report available under NDA. Continuous compliance monitoring via Vanta.
Request the report →HIPAA + BAA
Workspace-level toggle. BAA template on request. Field-level encryption + no-PHI-to-LLM enforcement.
Request the BAA →Disclosure
Found a vulnerability? Coordinated disclosure with thanks. We respond within 24 hours.
security@lynqx.com →