Security & Trust
PHI is sacred.
We treat it that way.
Klaxar was architected from the first commit to handle Protected Health Information safely. This page is our honest disclosure of where we are, what's in progress, and what's still to come.
Compliance at a glance.
We disclose what's certified, what's in progress, and what's on the roadmap. No vapor.
HIPAA
ArchitectedBAA available with sub-processors signed
SOC 2 Type I
In progressQ3 2026 target
SOC 2 Type II
PlannedQ1 2027 (after Type I + 6-month observation)
FedRAMP Moderate
RoadmapQ4 2027 โ paths via 3PAO sponsor
CJIS
Architecture-readyAfter first PD pilot
StateRAMP
RoadmapTriggered by 3+ state agency wins
Eight controls. Not eighty.
Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. Encrypted backups. Encrypted tablespace for PHI columns.
Row-level security
PostgreSQL RLS policies on every table. agency_id-scoped JWT claims enforce multi-tenancy at the database level.
Append-only audit log
Trigger-enforced UPDATE/DELETE rejection. 7-year retention. CSV/PDF export for auditors.
BAA-covered sub-processors
Supabase, Anthropic, Resend, Twilio, Stripe โ all HIPAA-eligible with countersigned BAAs.
Secret hygiene
Service-role keys server-side only. Anon DML revoked at the schema level. No secrets in client bundles.
Incident response
Documented IR runbook. 24-hour breach-notification process. Tabletop exercises quarterly.
Backup + DR
Continuous WAL backup. Daily full backup. RTO 4 hours, RPO 15 minutes documented.
Pen tested
Annual third-party penetration test. CVE remediation SLA: 7 days for critical, 30 for high.
Want the full whitepaper?
15-page technical security disclosure. Covers our threat model, sub-processor inventory, IR runbook excerpts, and DR posture. Available under NDA.
Request Whitepaper