SECURITY

Built for HIPAA compliance. Not bolted on.

Every security decision was made before the first line of product code was written.

Business Associate Agreement

Required before uploading any patient data. Not optional. Not a checkbox. A legal prerequisite enforced at the account level — you cannot upload PHI until a BAA is in place.

Zero Data Retention

PHI submitted for AI analysis is processed and immediately discarded by Anthropic under a signed BAA. It is never stored, never logged, and never used to train AI models.

Encryption at Every Layer

Data encrypted in transit using TLS 1.2 or higher. Encrypted at rest using AES-256 on AWS infrastructure. Role-based access controls. Audit logs for all PHI access.

TECHNICAL SPECIFICATIONS

Every detail, plainly stated.

ENCRYPTION IN TRANSIT

TLS 1.2

All data between your browser and DenialIQ is encrypted using TLS 1.2 or higher. No unencrypted connections are permitted.

ENCRYPTION AT REST

AES-256

All data stored in AWS RDS PostgreSQL is encrypted at rest using AES-256. This includes all ERA file data and claim information.

AI PROCESSING

Zero retention BAA

We use the Anthropic Claude API under a BAA. PHI is transmitted for analysis and immediately discarded. Anthropic does not store or train on your data.

INFRASTRUCTURE

AWS

DenialIQ runs on AWS with a signed BAA. App Runner, RDS PostgreSQL 16, and S3 with SSE-AES256. AWS is a HIPAA-eligible provider.

ACCESS CONTROLS

Role-based permissions

Access to PHI is restricted by role-based controls. No employee or system can access your data without a logged, authorized reason.

AUDIT LOGGING

All PHI access logged

Every access to PHI is logged with timestamp, user identity, and action. Retained per HIPAA.

BUSINESS ASSOCIATE AGREEMENT

What the BAA covers and why it matters.

Under HIPAA, any company handling PHI on behalf of a Covered Entity must execute a Business Associate Agreement. You are the Covered Entity. DenialIQ is the Business Associate.

The DenialIQ BAA establishes our legal obligations to protect your patients' PHI. It covers permitted uses and disclosures, security safeguards, breach notification obligations within 60 days of discovery, subcontractor requirements (Anthropic, AWS), and data return or destruction upon termination.

The BAA is presented during account setup and is required before uploading any patient data. It is not a checkbox — it is a legally binding agreement signed electronically under the E-SIGN Act. A copy is stored with your account and available for download at any time.

DenialIQ also maintains BAAs with its subprocessors: AWS (hosting and storage) and Anthropic (AI analysis). These agreements ensure the chain of custody for your PHI is documented and protected at every layer.

KEY OBLIGATIONS

PHI used only to provide the DenialIQ service

Breach notification within 60 calendar days

Subcontractor BAAs with AWS and Anthropic

Data deleted or returned upon termination

Annual HIPAA Security Risk Assessments

Written security policies and procedures

Audit logs maintained for all PHI access

Read the full BAA

7-DAY FREE TRIAL · NO CREDIT CARD

Questions about security? Ask directly.

Email privacy@denial-iq.com — every compliance question gets a personal reply.

Start free trial

HIPAA compliant · BAA included · Cancel anytime