🛠️ Development preview — synthetic data only. Not for real billing.
Klaxar markKlaxar

Compliance & Audit

Built for HIPAA.
From day one.

Klaxar was architected from the first commit to handle Protected Health Information safely. Append-only audit logs. RLS multi-tenant isolation. BAA available. SOC 2 Type I in progress.

Read WhitepaperTalk to Sales

100%

PHI access logged

7yr

Audit retention

0

Cross-tenant data leakage paths

CJIS

Path on roadmap

Append-only audit log.

Every PHI access — every read of a patient name, address, narrative, or claim — generates an immutable audit row. Postgres triggers reject UPDATE and DELETE on the audit table at the database level. Even a service-role compromise cannot rewrite history.

  • Database-level UPDATE/DELETE rejection triggers
  • Per-agency segregation via RLS
  • IP address + user agent captured
  • 7-year retention enforced
  • CSV/PDF export for auditors

Product screenshot

Row-level security on every table.

Multi-tenant by agency_id. Every query is scoped by JWT claim. Agency A can never see Agency B data — not by application bug, not by SQL injection, not by mis-configured query. The database itself enforces the boundary.

  • 15+ tables with explicit RLS policies
  • JWT-claim-driven authorization
  • Service role isolated from anon
  • Defense-in-depth: RLS + REVOKE anon DML
  • Tested cross-tenant attempts return 0 rows

Product screenshot

BAA + sub-processors.

Klaxar Inc. signs Business Associate Agreements with covered entities. Our sub-processors — Supabase, Anthropic, Resend, Twilio, Stripe — are all HIPAA-eligible with countersigned BAAs. Your PHI flows through a fully-covered chain or never enters our systems at all.

  • Klaxar BAA template available pre-signature
  • Supabase BAA-tier project (PHI storage)
  • Anthropic enterprise BAA (AI processing)
  • Resend BAA (email delivery)
  • Twilio HIPAA-eligible BAA (SMS)

Product screenshot

SOC 2 Type I — in progress.

We're in active SOC 2 Type I remediation. Documentation, IR plan, DR plan, security awareness training, vendor inventory, audit-log retention policies — all in place. Type I report expected Q3 2026. Type II observation window starts after that.

  • Information security policy
  • Acceptable use policy
  • Incident response runbook
  • Disaster recovery + RTO/RPO targets
  • Vendor management + sub-processor inventory

Product screenshot

See it in action. Read the security whitepaper.

Live demo with synthetic data. No signup required.

Read WhitepaperTalk to Sales