Enterprise-Grade Security
for Healthcare

Every layer of ReasonTele is designed, built, and operated to meet the strictest healthcare security and compliance requirements.

Compliance Certifications

HIPAA Compliant

Full compliance with HIPAA Privacy, Security, and Breach Notification Rules. Annual risk assessments and workforce training.

SOC 2 Type II

Annual audit by an independent third party covering security, availability, and confidentiality.

BAA Available

Business Associate Agreement executed with every customer. No additional fees, no delays.

HITRUST CSF Aligned

Aligned with HITRUST Common Security Framework controls for standardized healthcare information protection.

Technical Security

Defense in depth across encryption, authentication, infrastructure, video, and monitoring.

Encryption

Data at rest
AES-256 encryption via AWS KMS with automatic key rotation
Data in transit
TLS 1.3 enforced for all connections; no deprecated cipher suites
Video streams
SRTP with AES-128-CM for media encryption end-to-end
Database
Aurora PostgreSQL with KMS-managed encryption
File storage
S3 server-side encryption (SSE-KMS)
Secrets
AWS Secrets Manager with automatic rotation

Authentication & Access

MFA
Required for all users. TOTP and WebAuthn supported.
RBAC
Principle of least privilege. System Admin, Facility Admin, Specialist, Nurse, Readonly.
Sessions
15-min inactivity timeout. 2 concurrent sessions max. JWT with short expiry.
Passwords
12+ characters, complexity requirements, bcrypt-12, breach database checking
SSO
SAML 2.0 and OpenID Connect for enterprise identity providers

Infrastructure

Cloud
AWS us-east-2 (Ohio)
Network
VPC with public, private, and isolated subnets
DDoS
CloudFront + Shield Standard + WAF with OWASP Top 10 rules
Containers
ECS Fargate with read-only root filesystem, no SSH, CVE scanning
DNS
Route 53 with DNSSEC signing and CAA records

Video Security

Infrastructure
Self-hosted Jitsi within AWS VPC — no third-party video providers
Media isolation
Streams never leave AWS. No external TURN relays.
Recordings
No recordings unless explicitly configured and consented
Session isolation
Separate JVB allocation per consult session
Browser-based
WebRTC — no downloads, plugins, or extensions

Audit & Monitoring

Audit logging
Every action logged with timestamp, user, IP, resource. 7-year retention.
Monitoring
CloudWatch metrics with automated alarms and PagerDuty escalation
Pen testing
Annual by CREST-certified firm. Findings remediated within 30 days.
Vulnerability scanning
Dependabot, ECR image scanning, AWS Inspector on every deploy
Incident response
Documented plan with 24-hour breach notification commitment

Data Handling

No Client-Side PHI Storage

PHI is never stored on client devices. Browser renders data in real time from encrypted APIs.

Configurable Retention

Data retention policies configurable per customer. Default: 7 years for clinical records.

Contract Termination

All data securely deleted within 60 days. Certificate of destruction provided.

No Secondary Use

ReasonTele does not mine, analyze, aggregate, or sell PHI for any secondary purpose.

Backup & Recovery

Automated backups with 35-day retention and point-in-time recovery. AES-256 encrypted.

Data Residency

All PHI stored and processed within the continental United States.

Responsible Disclosure

If you discover a potential security vulnerability, please report it responsibly.

Report to: security@reasontele.com

Response time: Acknowledged within 2 business days, assessed within 5.

Safe harbor: No legal action against good-faith researchers.

Security Questions? Let's Talk.

Our security team is available to walk through our controls, share audit reports under NDA, and complete your vendor security questionnaire.

Contact Security TeamHIPAA Policy