Klaxar markKlaxar
SOC 2 In ProgressHIPAA Compliant

Security & Compliance

Klaxar is committed to the highest standards of data security for public safety agencies. We are actively pursuing SOC 2 Type I certification, targeting a Q1 2027 report date.

๐Ÿ›ก๏ธ

SOC 2 Type I โ€” In Progress

Klaxar has engaged a licensed CPA firm for SOC 2 Type I examination. The audit evaluates our security controls against the AICPA Trust Services Criteria: Security, Availability, Confidentiality, Privacy, and Processing Integrity.

Expected report date: Q1 2027 ยท Audit firm: TBD ยท Scope: Production Klaxar platform

Security Controls

๐ŸŸขAvailabilityIn Progress
  • โœ“99.9% uptime SLA target
  • โœ“DigitalOcean managed infrastructure with auto-restart
  • โœ“PM2 process monitoring with alerting
  • โœ“Automated daily database backups
๐Ÿ”’ConfidentialityIn Progress
  • โœ“AES-256 encryption at rest (Supabase)
  • โœ“TLS 1.3 in transit
  • โœ“Row-level security (RLS) on all PHI tables
  • โœ“Service role key never exposed to client
๐Ÿ›ก๏ธSecurityIn Progress
  • โœ“HIPAA-grade audit log on all PHI access
  • โœ“Role-based access control (RBAC)
  • โœ“Multi-factor authentication support
  • โœ“API rate limiting on all endpoints
  • โœ“Dependency vulnerability scanning (npm audit)
๐Ÿ‘คPrivacyPlanned
  • โœ“BAA (Business Associate Agreement) available
  • โœ“Data residency: US-only (DigitalOcean NYC)
  • โœ“Right to access / deletion (HIPAA ยง164.524)
  • โœ“Breach notification procedures
โš™๏ธProcessing IntegrityPlanned
  • โœ“Automated TS + lint CI on all PRs
  • โœ“AI billing outputs always reviewed by human
  • โœ“Audit trail on claim status changes

Certification Timeline

โœ“
Q2 2026

Security policy documentation

โ—‹
Q3 2026

Internal audit & gap assessment

โ—‹
Q3 2026

Penetration test ($5-15K, external firm)

โ—‹
Q4 2026

SOC 2 Type I audit engagement

โ—‹
Q1 2027

SOC 2 Type I report issued

โ—‹
Q3 2027

SOC 2 Type II audit (12-month observation)

HIPAA Compliance

Klaxar is designed as a HIPAA-covered entity platform. All PHI is processed under strict access controls, audit logging, and data isolation policies.

  • โœ“Business Associate Agreements (BAA) available for all paid plans
  • โœ“All patient data stored on HIPAA-eligible infrastructure (Supabase BAA tier)
  • โœ“Comprehensive audit log for all PHI access events
  • โœ“Role-based access enforced via Supabase RLS on all PHI tables

Security questions or to request our BAA? Contact our security team or email security@klaxar.com.