Security & Compliance
NextGen Wellness is built for organizations that handle sensitive health data. Our platform implements HIPAA-ready technical safeguards, encryption at every layer, and role-based access controls from the ground up.
HIPAA-Ready Architecture
Our platform is built with HIPAA-ready technical safeguards from the ground up. We implement the administrative, physical, and technical safeguards required to protect electronic protected health information (ePHI).
- Technical safeguards implemented across the full application stack
- Business Associate Agreement (BAA) available upon request
- Regular risk assessments and security reviews
- Workforce training on HIPAA privacy and security requirements
Data Security
All data is encrypted at rest and in transit. We use industry-standard security protocols to ensure your data is protected at every layer.
- TLS encryption for all data in transit
- AES-256 encryption for data at rest
- bcrypt password hashing with salted rounds
- JWT token-based authentication with expiration and rotation
- Role-based access control on all API endpoints
Infrastructure
Our infrastructure is cloud-hosted in US-based data centers with no on-premise requirements. Managed services handle database operations, backups, and scaling.
- Cloud-hosted on US-based infrastructure
- No on-premise hardware or software requirements
- Managed PostgreSQL database with automated backups
- Regular security patches and dependency updates
- Isolated environments for development, staging, and production
Data Ownership
Your data belongs to you. We provide full export capabilities, certified deletion on contract termination, and zero vendor lock-in.
- Customer owns 100% of their data at all times
- Export in CSV, JSON, and FHIR formats
- Certified data deletion upon contract termination
- No vendor lock-in -- your data is always portable
- Transparent data processing policies
Access Controls
We implement role-based access controls with the principle of least privilege. Every data access is logged for audit purposes.
- Role-based access: member, navigator, and admin tiers
- Principle of least privilege enforced across all roles
- Audit logging on all data access and modifications
- Session management with automatic timeout
- Multi-factor authentication support
Incident Response
We maintain continuous monitoring and alerting with a commitment to rapid notification in the event of a security incident.
- Continuous infrastructure and application monitoring
- Automated alerting on anomalous activity
- 24-hour notification commitment for security incidents
- Documented incident response procedures
- Post-incident review and remediation process
A note on certifications
NextGen Wellness has implemented HIPAA-ready technical safeguards and offers a Business Associate Agreement (BAA) upon request. We do not currently claim HIPAA certification, SOC 2 certification, or HITRUST certification. Our commitment is to transparent, honest security practices that meet the needs of healthcare organizations.
Request our security documentation
Need more detail on our security posture? We are happy to share our security documentation, discuss BAA terms, or walk through our architecture with your IT and compliance teams.