Adjuvex← Back to Home

Security & Compliance

How Adjuvex protects your patients' data and your organization's trust

SOC 2 Type II

Annual audit by independent CPA

HIPAA Compliant

Full HIPAA/HITECH compliance

AES-256 Encryption

At rest and in transit

HITRUST Ready

Framework alignment in progress

Data Encryption

All Protected Health Information (PHI) and sensitive business data is encrypted using industry-standard algorithms at every layer of the Adjuvex platform:

  • At Rest: AES-256 encryption for all data stored in our databases and file storage systems. Encryption keys are managed via a dedicated Key Management Service (KMS) with automatic rotation.
  • In Transit: TLS 1.2 or higher is enforced for all data transmitted between clients, APIs, and backend services. Older protocol versions are explicitly disabled.
  • AI Processing: PHI fields are hashed (SHA-256) or de-identified before submission to third-party AI model providers. Raw PHI is never sent to external AI endpoints.

Access Controls

Adjuvex employs a defense-in-depth approach to access management:

  • Role-Based Access Control (RBAC): Every user is assigned a role (Admin, Billing, Read-Only) that governs which data and features they can access.
  • Multi-Factor Authentication (MFA): MFA is supported and strongly recommended for all accounts, and required for Admin roles.
  • Single Sign-On (SSO): Enterprise plans support SAML 2.0 / OIDC SSO integration with your existing identity provider (Okta, Azure AD, Google Workspace).
  • Session Management: Sessions expire after 8 hours of inactivity. All sessions are invalidated upon password change.
  • IP Allowlisting: Enterprise customers can restrict access to specific IP ranges or CIDR blocks.

Infrastructure Security

Adjuvex runs on enterprise-grade cloud infrastructure with multiple layers of protection:

  • Cloud Provider: Production workloads run on AWS within isolated VPCs. No PHI data is co-mingled across customer tenants.
  • Network Segmentation: Application, database, and AI processing tiers are deployed in separate subnets with strict firewall rules and security groups.
  • Intrusion Detection: Automated anomaly detection and alerting on unusual access patterns, login attempts, and data export volumes.
  • DDoS Protection: AWS Shield Standard is active across all public endpoints. Enterprise plans include AWS Shield Advanced.
  • Vulnerability Management: Automated dependency scanning runs on every deployment. Critical CVEs are patched within 24 hours.

Audit Logging and Monitoring

Every access, modification, and disclosure of PHI within the Adjuvex platform is logged and tamper-evident:

  • Audit logs capture user ID, IP address, timestamp, action type, and resource accessed.
  • Logs are retained for a minimum of six years in compliance with HIPAA requirements.
  • Log integrity is protected via cryptographic chaining; modifications are detected automatically.
  • Customers can export their audit logs at any time from the dashboard Settings page.

SOC 2 Type II Compliance

Adjuvex maintains a SOC 2 Type II audit program covering the Trust Services Criteria for Security, Availability, and Confidentiality. Our annual audit is conducted by an independent AICPA-registered CPA firm.

Our SOC 2 Type II report is available to customers and prospective customers under NDA. To request a copy, contact security@adjuvex.com.

Penetration Testing

Adjuvex undergoes annual third-party penetration testing conducted by a qualified security firm. Additionally, we maintain a responsible disclosure program for independent security researchers. Findings are remediated according to CVSS severity:

  • Critical (CVSS 9.0–10.0): Patched within 24 hours.
  • High (CVSS 7.0–8.9): Patched within 72 hours.
  • Medium (CVSS 4.0–6.9): Patched within 30 days.
  • Low (CVSS < 4.0): Addressed in next scheduled release cycle.

Business Continuity and Disaster Recovery

  • Recovery Time Objective (RTO): 4 hours for full platform restoration.
  • Recovery Point Objective (RPO): 1 hour maximum data loss.
  • Database Backups: Automated daily backups with point-in-time recovery up to 35 days.
  • Multi-Region: Enterprise plans include active-passive failover to a secondary AWS region.
  • Uptime SLA: 99.9% monthly uptime guaranteed for Professional and Enterprise plans.

Vendor and Subprocessor Management

All third-party vendors and subprocessors with access to PHI or infrastructure are subject to security review prior to onboarding. Current key subprocessors include:

  • AWS: Cloud infrastructure (SOC 2 Type II, ISO 27001, HIPAA BAA available)
  • Anthropic: AI model inference — PHI is de-identified prior to submission (BAA in place)
  • Stripe: Payment processing — no PHI is shared (PCI DSS Level 1)

A complete subprocessor list is available upon written request.

Responsible Disclosure

We take security vulnerabilities seriously. If you believe you have discovered a security issue in the Adjuvex platform, please report it responsibly:

  • Email: security@adjuvex.com
  • PGP key available upon request for encrypted disclosure.
  • We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours.
  • We ask that you do not publicly disclose the vulnerability until we have had an opportunity to remediate it.