Security & compliance
Built for PHI from the first byte
ProofCustody is a deterministic audit system designed to handle protected health information safely from intake through export. This page summarizes our posture; our full security overview is available on request.
PHI redaction before analysis
Personal and protected health information is detected and redacted before any rule runs and before anything is written to an export. Redacted text is what the engine analyzes, and live-claim workflows are configured so original identifiers are not sent to external AI services.
Deterministic, no LLMs in the rules engine
Every finding comes from explicit, versioned rules — not a model guess. The same claim produces the same result, every time, which is what makes a finding defensible.
Row-level tenant isolation
Every record is scoped to a single client. A request for another tenant's data returns nothing — isolation is enforced at the query layer, not just the UI.
Tamper-evident audit trail
Each finding, decision, and reviewer action is written to a hash-chained, append-only trail capturing rule version, extraction version, reviewer identity, and timestamp.
Encryption in transit & at rest
Live-claim data is encrypted in transit and at rest in the configured HIPAA-eligible production environment.
BAA-ready for live claims
Sample audits run on PHI-free, de-identified data and need no agreement. Live-claim work runs under a Business Associate Agreement and secure upload.
Request the security pack
Our security overview and BAA template are available now; data-flow and subprocessor detail are shared as an evaluation progresses.
security@proofcustody.comCompliance questions? compliance@proofcustody.com
Have a specific question? Contact us →