Trust Center

Security and Compliance

Rymeda is built for healthcare. This page provides a transparent overview of the security controls, compliance posture, and operational practices that protect customer data across the platform.

Last reviewed: March 2026

Section 1

Security Controls

Technical and operational controls implemented across infrastructure, application, access management, and data protection layers.

Infrastructure Security

Hosted on AWS with VPC network isolation and private subnets
AES-256 encryption at rest via AWS KMS with automated key rotation
TLS 1.3 enforced for all data in transit
DDoS mitigation through AWS Shield
Infrastructure defined as code with change-control reviews

Application Security

Input validation and output encoding aligned with OWASP Top 10
Automated dependency scanning in CI/CD pipeline
Parameterized queries to prevent injection attacks
Content Security Policy and security headers enforced
Server-side request validation on all API endpoints

Access Controls

Role-based access control (RBAC) with principle of least privilege
Multi-factor authentication (MFA) enforced for all user accounts
Session management with configurable timeout policies
Append-only audit logging for every data access event
Administrative access requires additional approval workflows

Data Protection

Logical tenant isolation at the database layer
Field-level encryption for sensitive identifiers
Automated backup with point-in-time recovery capabilities
Data retention policies aligned with regulatory requirements
Secure data deletion procedures upon contract termination

Section 2

Compliance Posture

Current status of compliance programs, regulatory alignment, and available agreements for enterprise customers.

HIPAA-Aligned Workflows

Active

Platform architecture and operational processes are designed to support HIPAA Privacy and Security Rule requirements. Rymeda operates as a Business Associate under executed BAAs with covered entities.

SOC 2 Type II Program

In Progress

SOC 2 Type II audit program is in progress. Current controls are mapped to Trust Services Criteria (security, availability, confidentiality). Audit timeline and scope available upon request.

Business Associate Agreements

Available

BAAs are available for all covered entities and business associates. Rymeda executes BAAs prior to processing any protected health information.

Security Assessments

Ongoing

Periodic security assessments are conducted across infrastructure, application, and API layers. Assessment scope and methodology details are available to enterprise customers under NDA.

Compliance Monitoring

Active

Continuous compliance monitoring with automated evidence collection. Control effectiveness is tracked against HIPAA, SOC 2, and internal policy requirements.

Section 3

Monitoring and Incident Response

Continuous monitoring, threat detection, and documented procedures for identifying, containing, and resolving security events.

24/7 Infrastructure Monitoring

All production systems are monitored continuously via AWS CloudWatch and application-level health checks. Alerts are triaged by on-call engineering with defined response SLAs.

Automated Threat Detection

Anomaly detection across authentication events, API access patterns, and data egress. Suspicious activity triggers automated alerting and, where applicable, automatic mitigation.

Incident Response Procedures

Documented incident response plan with severity classification, escalation paths, containment procedures, root cause analysis, and notification timelines aligned with HIPAA Breach Notification Rule.

Status Page

Real-time system status and historical uptime reporting. Planned maintenance windows are communicated in advance via the status page and customer notifications.

status.rymeda.com — coming soon

Security Event Logging

All authentication, authorization, data access, and administrative actions are recorded in tamper-evident, append-only logs with configurable retention periods.

Section 4

Customer Assurance

Security contacts, disclosure policies, and pathways for enterprise customers to request compliance documentation.

Security Contact

Report security concerns or ask questions about our security program.

security@rymeda.com

Vulnerability Disclosure

Responsible disclosure policy for reporting potential security vulnerabilities.

View Policy

Subprocessor List

Current list of subprocessors that process data on behalf of Rymeda.

View Subprocessors

Business Associate Agreement

Standard BAA for covered entities and business associates.

View BAA

Audit & Assessment Requests

Enterprise customers may request security documentation, penetration test summaries, or compliance artifacts under NDA.

Request Access

Data Processing Agreement

Terms governing how Rymeda processes personal data on behalf of customers.

View DPA

Security Resources

Published policies, agreements, and compliance documentation available for review.

HIPAA NoticeHIPAA privacy practices and patient rightsView document Business Associate AgreementBAA terms for covered entitiesView document Data Processing AgreementData processing terms and obligationsView document Subprocessor ListThird-party data processorsView document Vulnerability DisclosureResponsible disclosure policyView document Incident Response PlanIncident detection and response proceduresView document Information Security PolicySecurity standards and controlsView document Breach Notification PolicyBreach notification procedures and timelinesView document Vendor Risk ManagementThird-party vendor assessment frameworkView document Security Risk AssessmentRisk identification and mitigation frameworkView document Privacy PolicyData collection and usage practicesView document Data Retention PolicyData lifecycle and retention schedulesView document

Questions about our security program?

Enterprise customers can request security documentation, penetration test summaries, SOC 2 readiness artifacts, or schedule a technical security review with our team.

Contact Security Team security@rymeda.com