Skip to content
HCC Buddy home

Security & Data Handling

HCC Buddy does not store, transmit, or log any Protected Health Information (PHI). Zero patient data enters our systems.

Architecture Overview

HCC Buddy uses a three-tier architecture designed to keep sensitive data out of our systems entirely:

Layer 1

Chrome Extension / Website

Your browser

Layer 2

API Server

Fly.io, US East

Layer 3

Database

Supabase PostgreSQL

Your browser sends only ICD-10 codes and search terms to our API — never patient names, member IDs, or clinical notes.

What We Protect

No PHI Storage

No patient names, member IDs, dates of birth, Social Security Numbers, or Medicare Beneficiary Identifiers are ever stored in our database, logs, or backups.

PHI Upload Scanning

Built-in scanner automatically rejects any uploaded PDF containing SSNs, MBIs, patient names, or dates of birth.

Encryption in Transit

All data transmitted over HTTPS/TLS. Our API enforces HSTS (HTTP Strict Transport Security).

Encryption at Rest

Sensitive fields (MFA secrets) encrypted with AES-128-CBC + HMAC-SHA256 (Fernet). Passwords hashed with bcrypt.

Session Security

15-minute access tokens, single-session enforcement, and automatic account lockout after 5 failed login attempts.

Audit Logging

All sensitive actions logged to a HIPAA-conscious audit trail with 6-year retention.

HIPAA Disclaimer

HCC Buddy is not a HIPAA covered entity as defined under the Health Insurance Portability and Accountability Act (HIPAA).

  • No Business Associate Agreement (BAA) is required or offered.
  • “HIPAA-conscious” design means our architecture actively prevents Protected Health Information from entering our systems — not that we are a HIPAA covered entity.
  • Built-in PHI scanning rejects uploads containing patient names, Social Security Numbers, Medicare Beneficiary Identifiers, or dates of birth.
  • Users are solely responsible for ensuring they do not submit PHI through any feature of the Service.

Third-Party Security

Anthropic (Claude API)User coding questions only — no PHI (enforced by PHI scanner). US region.
Google (Gemini API)Fallback LLM provider for coding questions — no PHI. US region.
StripeBilling + payment processing. Full card data stored by Stripe only (PCI DSS Level 1). US region.
ResendTransactional email delivery (verification, billing receipts). Email address + send events only. US region.
SentryError logs and stack traces — no user content, no PHI. US region.
Fly.ioBackend API hosting. Application logs (email, user ID, request paths). US East.
VercelFrontend hosting + edge network. HTTP logs + anonymized Web Vitals. US region.
SupabasePostgreSQL database. Email, hashed password, subscription state, usage metadata. TLS-required connections. US region.
MuxAcademy video streaming. Video session analytics, no PII. US region.

Compliance posture

  • HIPAA:Not applicable — we never receive PHI. No BAAs required or offered.
  • PCI DSS:Out of scope — Stripe handles all cardholder data. We only receive tokenized references.
  • SOC 2 Type II: On 2026 roadmap. Vendor selected, gap analysis complete, target report Q3 2026.
  • CAN-SPAM / GDPR / CCPA: Every transactional email includes opt-out; data export + deletion on request via privacy@hccbuddy.com.

Reporting security issues

We welcome responsible disclosure from security researchers, customers, and the public. Good-faith testing will not result in legal action against you.

  • Contact: security@hccbuddy.com
  • Response SLA: Acknowledgment within 2 business days. Critical findings triaged within 4 hours.
  • Do NOT: test with real patient data. Our edge scanner rejects PHI payloads, and we consider such payloads out of safe-harbor scope.
  • Hall of Fame: public acknowledgment available for valid reports on request.

Vendor security questionnaire

Running procurement review for your team? We maintain completed responses to SIG Lite, CAIQ v4, and HECVAT Lite. Email security@hccbuddy.com with your preferred format and we'll send within one business day. Confidential and NDA-friendly.

Request questionnaireRead privacy policy