Security & Compliance
Last updated: March 16, 2026
Overview
ARXIO Health is built for healthcare from the ground up. Our architecture ensures that Protected Health Information (PHI) never leaves your infrastructure, clinical AI inference runs on local models with no third-party data sharing, and every API operation is authenticated, rate-limited, and audit-logged.
Data Handling & Local LLM Inference
PHI never leaves your infrastructure
ARXIO Health runs clinical decision support using locally-deployed large language models. Patient data submitted via API is processed entirely in-memory by on-premise LLM infrastructure — it is never transmitted to OpenAI, Anthropic, Google, or any other third-party AI provider. No PHI is written to disk, cached, or persisted beyond the lifecycle of the individual API request.
- 1All LLM inference is performed on locally-hosted Ollama instances — no external AI APIs in the data path.
- 2Request payloads containing patient demographics, medications, and allergies are processed in-memory only.
- 3Response payloads contain clinical recommendations and risk assessments — no patient identifiers are echoed back.
Encryption
- TIn Transit
All API traffic is encrypted via TLS 1.3. HSTS is enforced with a minimum max-age of one year including all subdomains. Certificate pinning is available for Enterprise customers.
- RAt Rest
All persistent data is stored in PostgreSQL with AES-256 encryption at rest. Database backups are encrypted using the same standard. API keys are stored as SHA-256 hashes — plaintext keys are never persisted.
Access Control
- KAPI Key Authentication
Every API request requires a valid
X-API-Keyheader. Keys are scoped to organizations and can be rotated at any time without downtime. - OOrganization-Scoped Data Isolation
All data — usage logs, audit trails, billing records — is isolated by organization. There is no cross-tenant data access. Each API key maps to exactly one organization.
- IIP Allowlisting
Enterprise plan customers can restrict API access to specific IP ranges, ensuring only authorized network locations can reach the service.
Audit Logging
Every API operation generates an immutable audit log entry including the timestamp, organization ID, API key used, endpoint called, HTTP method, response status code, and response time. Audit logs are retained for 12 months and are available to all customers via the /v1/audit API endpoint.
| Field | Description |
|---|---|
| timestamp | UTC timestamp of the request |
| org_id | Organization that owns the API key |
| action | Operation performed (e.g., cds.clinical_review) |
| resource_type | Type of resource accessed |
| status_code | HTTP response status |
| response_time_ms | Request processing duration |
Rate Limiting
Built-in per-key rate limiting protects service availability and prevents abuse. Rate limits are enforced per organization on a daily (UTC) rolling window. Every API response includes rate limit headers so integrators can monitor usage programmatically.
| Plan | Daily Limit | Response Headers |
|---|---|---|
| Free | 100 requests/day | X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset |
| Pro | 10,000 requests/day | X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset |
| Enterprise | Unlimited | X-RateLimit-Limit: unlimited |
Infrastructure Security
- LNo Third-Party LLM Providers
Clinical AI inference runs on locally-deployed open-weight models (Ollama). Patient data is never sent to external LLM APIs. This eliminates the risk of PHI exposure through third-party AI services and removes dependency on external provider data handling policies.
- HSecurity Headers
All responses include hardened security headers: HSTS, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Cache-Control (no-store on API responses), and a unique X-Request-ID for request tracing.
- VInput Validation
All API inputs are validated against strict schemas with enforced size limits. Request bodies are capped at 64KB, and list fields (medications, conditions, allergies) have maximum cardinality constraints to prevent abuse.
- NNetwork Protection
DNS and DDoS mitigation via Cloudflare. CORS policies restrict API access to authorized origins only. Enterprise deployments support private endpoints and network-level isolation.
Subprocessors
Infrastructure providers that may process data on behalf of customers. Notably, no third-party AI/LLM providers appear in this list — all inference is local.
| Provider | Purpose | Data Access | Certification |
|---|---|---|---|
| Railway | API hosting | Infrastructure only | SOC 2 Type II |
| Cloudflare | DNS / DDoS protection | Network metadata only | SOC 2 Type II, ISO 27001 |
| Stripe | Payment processing | Billing data only (no PHI) | PCI DSS Level 1 |
Compliance Roadmap
ARXIO Health is actively evaluating HIPAA BAA requirements with qualified healthcare compliance counsel. Our zero-persistence architecture and local LLM inference model significantly reduce the BAA scope. Contact [email protected] for current status and timeline.
SOC 2 Type II audit is planned for 2026. This will provide independent verification of our security controls, availability, and confidentiality practices.
HITRUST Common Security Framework certification is on our roadmap following SOC 2 completion, providing healthcare-specific security assurance.
Breach Notification
In the unlikely event of a security incident involving PHI, ARXIO Health will notify affected covered entities within 24 hours of discovery, provide a detailed incident report within 72 hours, and cooperate fully with breach investigation and remediation efforts as required under the HITECH Act.
Personnel Security
All ARXIO Health team members with access to production systems complete annual HIPAA training, background checks, and sign confidentiality agreements. Access to infrastructure is provisioned on a least-privilege basis with MFA enforcement.
Contact
For security disclosures, compliance inquiries, or to request a BAA, contact our team at [email protected].