WabiCareWabiCare // Therapy OS

Trust

security & compliance

Trust is infrastructure. Here’s how we build it.

HIPAA

WabiCare is built for HIPAA: our architecture, policies, and operations are designed to support HIPAA Privacy, Security, and Breach Notification Rule requirements. We act as a Business Associate when processing PHI on behalf of clinic customers.

  • Business Associate Agreement (BAA) executed before any PHI transmission
  • Written policies aligned with the HIPAA Security Rule (administrative, physical, technical safeguards)
  • Workforce training on HIPAA Privacy and Security
  • Breach notification procedures compliant with HIPAA and HITECH
  • HIPAA risk assessment conducted and documented

Request a BAA: hello@wabicare.com

Infrastructure

  • Hosted on Microsoft Azure— HIPAA-eligible services under Microsoft’s BAA
  • Azure Static Web Apps with global CDN for marketing content
  • Azure Container Apps for application backend
  • Azure PostgreSQL with Transparent Data Encryption (TDE)
  • Azure Blob Storage with server-side encryption for documents
  • Private networking and managed identities for service-to-service auth

Encryption

  • In transit: TLS 1.2+ enforced; HSTS enabled; HTTP automatically redirected to HTTPS
  • At rest: AES-256 encryption for database, file storage, and backups
  • Managed secrets stored in Azure Key Vault with rotation policies

Access Controls

  • Organization-level data isolation — no cross-tenant data access
  • Role-based access control (RBAC) with least-privilege defaults
  • MFA required for administrative access
  • Session timeouts and token refresh policies
  • Audit logs of PHI access, modifications, and authentication events

Software Development

  • Code review required for all production changes
  • Automated testing and CI/CD pipelines
  • Static analysis and dependency vulnerability scanning
  • Staging environment for pre-production validation

Monitoring & Incident Response

  • Continuous logging and monitoring of authentication, API, and data access
  • Documented incident response and breach notification runbook
  • Responsible disclosure for security researchers: security@wabicare.com

Certifications & Audits

  • SOC 2 Type II — in progress. Timeline: audit readiness assessment 2026; Type I report targeted Q4 2026; Type II report 2027.
  • HIPAA — no government certification exists for HIPAA; we operate under self-attestation and can provide documentation of our Security Rule controls upon request.

Subprocessors

A current list of subprocessors that may process Customer Data (including Microsoft Azure as our primary infrastructure provider) is available on request. Each subprocessor is vetted, bound by contract, and where applicable, has executed a BAA.

Contact

Security questions, compliance documentation requests, or BAA requests:
security@wabicare.com