Trust & Safety

Security at Rx Contract IQ

We handle sensitive healthcare contract data. Security is foundational to everything we build.

Last reviewed: January 2026
HIPAA Compliant
AES-256 Encryption
SOC 2 Type II
TLS 1.3 In Transit
Annual Pen Testing
🔐
Encryption
All data encrypted at rest with AES-256 and in transit with TLS 1.3. Keys managed via dedicated KMS with automatic rotation.
🏗️
Infrastructure
Hosted on AWS with multi-region redundancy. Infrastructure is provisioned as code and reviewed before every production change.
👤
Access Controls
Role-based access with least-privilege principles. All internal access requires MFA. Privileged access is time-limited and audit-logged.
📋
Audit Logging
Comprehensive, immutable audit trails capture all data access and configuration changes. Logs retained for a minimum of 12 months.
🧪
Penetration Testing
Annual third-party pen tests by certified security firms. Critical findings remediated within 48 hours. Results available under NDA.
🔄
Business Continuity
Automated backups with point-in-time recovery. RTO of 4 hours, RPO of 1 hour. DR procedures tested bi-annually.
🛡️
Vulnerability Management
Continuous dependency scanning and static analysis in CI/CD pipeline. Critical CVEs patched within 24 hours of disclosure.
👥
Employee Security
Security awareness training at hire and annually. Background checks required for all roles with production or customer data access.

HIPAA & Healthcare Data

We operate as a HIPAA Business Associate for applicable customers and execute Business Associate Agreements (BAAs) upon request. PHI is stored in HIPAA-eligible infrastructure, access-controlled, and never used for purposes beyond delivering contracted services.

Responsible Disclosure

If you believe you have found a security vulnerability, report it to . We acknowledge reports within 24 hours and will not pursue legal action against good-faith researchers following our disclosure guidelines.

Contact Our Security Team

For security inquiries or BAA requests, contact .