Reconcilify
Enterprise-grade security

Security & compliance, built in.

HIPAA, SOC 2, and PCI DSS aren't checkboxes—they're table stakes. Reconcilify safeguards PHI and financial data across EMR, POS, loyalty, and bank feeds so you can scale with confidence.

HIPAA & BAASecurity Architecture

HIPAA-ready infrastructure. SOC 2 Type II audit in progress.

HIPAA Ready
Infrastructure complete
SOC 2 Type II
Audit in progress
PCI DSS
Aligned
BAA Available
Immediately

HIPAA Compliance (2025 Ready)

Multi-factor authentication, end-to-end encryption, six-year audit retention — the upcoming HIPAA Security Rule changes are not "nice-to-haves." We're designing with them as baseline.

Administrative Safeguards

  • • Designated HIPAA Security Officer
  • • Regular workforce training
  • • Incident response procedures
  • • Regular risk assessments

Physical Safeguards

  • • Secure data center facilities
  • • Controlled access to servers
  • • Environmental controls
  • • Secure media disposal

Technical Safeguards

  • • End-to-end encryption
  • • Multi-factor authentication
  • • Role-based access controls
  • • Comprehensive audit logging

Application Layer

  • x-tenant-id header validation on every request
  • Multi-factor authentication (MFA) required for admin/PHI access
  • CSRF protection on all state-changing operations
  • Rate limiting (Redis-backed, distributed)

Database Layer

  • Row-Level Security (RLS) enforced on 70+ tables
  • SET LOCAL app.current_tenant_id on every query
  • 25+ security tests verify cross-tenant isolation
  • Immutable audit trails for all modifications

Encryption Layer

  • AES-256-GCM encryption at rest for PHI fields
  • TLS 1.3 encryption in transit
  • Automatic redaction of PHI in logs and AI outputs
  • Session storage: Redis with HTTP-only cookies

Zero Trust Architecture

Every layer of Reconcilify is designed with Zero Trust, least privilege, and defense-in-depth. Your data isn't just protected — it's architected to stay that way. From the first login to every API call, we enforce strict authentication and authorization. Role-based access ensures each staff member sees only what they need — and nothing more.

SOC 2 Type II (Infrastructure Complete)

SOC 2 Type II certification provides the evidence enterprise buyers demand: secure systems, reliable availability, and confidentiality baked into operations. Our infrastructure is audit-ready.

Timeline & Status

  • Complete: SOC 2 Type II-ready infrastructure (controls implemented)
  • Q1 2025: Final gap assessment and documentation
  • Q2 2025: SOC 2 Type II certification (target)
  • 2026+: Annual SOC 2 Type II audits

Current customers operate on SOC 2-ready infrastructure. Certification expected Q2 2025.

PCI DSS Payment Security

From HSA cards to open-loop gift cards, every transaction runs inside PCI DSS scope. That means secure handling of cardholder data and streamlined audits for your finance team.

State & Federal Compliance

Ownership restrictions, good faith exams, incident reporting — state rules differ, but your compliance shouldn't. Reconcilify adapts reporting and audit evidence to meet both federal and state requirements.

Business Associate Agreement (BAA)

For covered entities handling protected health information, we provide comprehensive BAAs with clear terms for data processing, security obligations, and breach notification protocols.

BAA Process

  1. 1. Initial Review: 24-48 hours to review your use case
  2. 2. BAA Generation: Customized to your specific data flows
  3. 3. Legal Review: Your counsel reviews terms
  4. 4. Execution: Digital signature and implementation
  5. 5. Annual Renewal: Streamlined renewal process

Request a BAA →

Incident Response & Breach Notification

In the event of a security incident or potential breach:

  • • Immediate incident response team activation
  • • Rapid containment and investigation procedures
  • • Notification to affected covered entities within 60 days
  • • Comprehensive documentation and reporting
  • • Remediation and prevention measures implementation

Compliance as Competitive Advantage

Audit logs, penetration tests, and third-party attestations aren't just about avoiding fines. They shorten enterprise sales cycles, build trust with investors, and set you apart from competitors.

Contact Our Compliance Team

For questions about our security practices or to request compliance documentation:

HIPAA Security Officer: support@reconcilify.com
HIPAA Privacy Officer: support@reconcilify.com
Compliance Team: support@reconcilify.com
Phone: 208-391-3344

Security & Compliance | HIPAA, SOC 2, PCI DSS | Reconcilify