Security · Compliance · Sovereignty
HIPAA-aligned by design. Tamper-proof audit trails for the 80/20 Rule. Post-quantum cryptography on the substrate. Data sovereignty for the operator. A CISO's job is to protect the company. HCBS.AI makes that easy.
HIPAA
Protected Health Information stays segregated, encrypted at rest and in transit, accessed under role-based controls, and logged to a tamper-proof audit trail on every read. The architecture predates the feature; you do not bolt HIPAA on after, you build everything inside it.
Tamper-proof audit trail
Every generated SOP, audit-defense citation, regulatory update, rep-payee transaction, and operator approval gets a cryptographic seal at creation. The record is tamper-evident and forward-verifiable. When the 2030 auditor opens your dossier, every line traces back to the moment it was created.
80/20 Rule readiness
The federal 80/20 Rule begins state reporting July 9, 2028 and reaches full enforcement July 9, 2030. Agencies that show up to 2028 with tamper-proof audit trails, pay-through documentation, and continuous compliance posture survive the consolidation. The rest do not.
Post-quantum cryptography
Signatures, key exchange, and audit-trail seals use post-quantum algorithms (ML-DSA, ML-KEM) alongside traditional curves. The dossier you generate today verifies cleanly in 2065. Regulated industries do not pick architectures with a five-year shelf life.
Data sovereignty
Export everything any time in your format. We never train on your operational data; the system learns from network-wide patterns, your specifics stay yours. The audit trail is yours to take if you ever leave. We do not hold the dossier hostage.
Residency: the marketing site runs on Cloudflare's US edge network. Customer-facing product data, including any PHI processed under BAA, lives in US data centers and stays within US jurisdiction.
Disclosure
We accept coordinated vulnerability disclosure. Find the contact and PGP policy at our security.txt file (RFC 9116). Triage starts within one business day.
Compliance and attestations
We publish the roadmap on the same page as the controls. Buyers and auditors get the same answer the founders would give in person.
Available today
Standard BAA framework available to covered entities on request. Email hello@hcbs.ai with your entity name; we send the draft inside one business day.
Available today
Common questionnaires (SIG, CAIQ, custom RFI) returned inside five business days. We use the same source-of-truth document the engineering team maintains, so the answers do not drift.
Available today
RFC 9116 security.txt published at /.well-known/security.txt. PGP fingerprint included. Triage starts within one business day.
In flight
Engagement underway with a Big-Four-equivalent audit firm. Target attestation: Q4 2026. The full report will be available under NDA once issued.
In flight
Independent third-party test scheduled annually with a 90-day coordinated-disclosure window. Latest report summary disclosed under NDA to enterprise buyers.
On the roadmap
Targeting HITRUST CSF certification once SOC 2 Type II is in hand. The HITRUST framework maps well to the post-quantum, tamper-evident architecture already in place.
Need something not listed here? Email wecare@hcbs.ai and we will reply with where it sits on the roadmap, or what we can provide today as an interim.
Incident response
Our incident-response process exists so customers and regulators get accurate information on a known schedule, not when the news cycle forces our hand.
01
Detection.
Automated monitoring on the audit trail, the authentication surface, and the data layer flags anomalous activity around the clock. On-call rotation responds within fifteen minutes of an alert.
02
Triage and containment.
The on-call engineer classifies severity, isolates the affected surface, and engages the incident commander. The first determination is whether customer data is involved; that answer determines the rest of the timeline.
03
Customer notification.
Severity 1 incidents (confirmed customer data exposure): notification within 24 hours of confirmation. Severity 2 (suspected exposure, scope unknown): notification within 48 hours. Severity 3 (operational degradation, no data exposure): notification within 60 hours. Email goes to the account contact and to your designated security contact if one exists.
04
Regulatory notification.
For incidents involving Protected Health Information, the HIPAA Breach Notification Rule applies: notification to affected individuals within 60 days, plus HHS notification on the same schedule (immediate if 500+ individuals affected). For state-level requirements, we follow the strictest applicable rule.
05
Post-incident review.
Every Severity 1 and Severity 2 incident receives a written post-incident review within fourteen days of resolution. The review covers root cause, customer impact, remediation steps taken, and structural changes to prevent recurrence. We share the review with affected customers on request.
Suspect an active incident? Email wecare@hcbs.ai with "URGENT" in the subject. We answer security mail first.
Security questions
The contract
Tell us about your agency. Nine short questions, four minutes. You walk away with your agency snapshot, your income projection, your state-specific regulatory primer, and tomorrow's brief at 6 AM.
Direct: hello@hcbs.ai wecare@hcbs.ai
Before you go
Lora's editorial brief lands at 6 AM, tuned to your state's HCBS regulations and the issues operators are tracking this week. One sample. No commitment. No marketing list.