Does Aqurio sign a BAA?
Yes. Every Aqurio customer agreement includes a Business Associate Agreement at signature — not after a separate negotiation. BAAs are pre-signed at the master agreement level so no workflow goes live without one in force.
What compliance certifications does Aqurio hold?
HIPAA-aligned controls (BAA-covered), SOC 2 Type II (Security, Availability, Confidentiality), HITRUST CSF certification, HITECH alignment, PCI DSS for any card-handling workflows, ISO 27001, plus CCPA and GDPR compliance. Customer-facing audit reports available under NDA.
How is patient data encrypted?
TLS 1.3 in transit, AES-256 at rest. PHI is encrypted with envelope encryption using customer-scoped keys. All keys rotated automatically on a 90-day schedule, with HSM-backed root-of-trust. Recorded calls and transcripts are stored in encrypted object storage with per-customer KMS keys.
Where is data stored and processed?
All Aqurio infrastructure runs in U.S.-based AWS regions (us-east-1 and us-west-2). Data residency is enforced at the infrastructure level — no cross-border transfer for any U.S. healthcare customer. SOC 2 audited boundary.
How does Aqurio handle access controls?
Role-based access control (RBAC) end-to-end, with least-privilege defaults. SSO via SAML 2.0 or OIDC, MFA required for all staff, just-in-time access elevation for any operator-side data review, full audit log of every access event preserved 7 years per HIPAA retention.
What is Aqurio's breach-notification process?
Per HIPAA and contractual obligations, Aqurio notifies affected customers without unreasonable delay (target: within 24 hours of confirmed breach). Customer incident-response runbook shared at onboarding, with a documented escalation path and assigned single point of contact.