How we treat your organization’s data, what we do not collect, and how to reach us for security questions or enterprise requirements.
Self-assessment and workflow tooling for hospital compliance teams.
Not a system of record for patient data. AuditCare is built for structural and operational compliance answers (for example: policies, attestations, and quality workflows). It is not intended to store Protected Health Information (PHI). Please do not enter patient identifiers or clinical record content into the product.
What we may process. Typical inputs include organization profile fields (such as hospital name and CMS CCN where you choose to provide it), contact email for save-and-return links, and your assessment responses and notes. Public CMS and related reference data may be retrieved using identifiers you supply (for example CCN) to reduce manual entry.
Hosted application with standard cloud protections—we do not publish a full architecture diagram on this page.
AuditCare runs on managed cloud infrastructure in the United States. Connections use HTTPS. We apply security headers and sensible defaults consistent with a modern web application.
We rely on a small set of vetted subprocessors (for example hosting, database, transactional email, and optional AI-assisted features). We do not list every integration here; ask for a current subprocessor summary if your process requires it.
Status: pending — framed for enterprise customers who need formal assurances.
Because AuditCare is not designed to process PHI, many deployments will not trigger HIPAA’s full operational scope for the product itself. We still expect hospital procurement to ask about HIPAA and a BAA.
Our position today: formal HIPAA compliance packaging and a signed BAA are in progress and will be offered for enterprise engagements where contractually required—alongside controls and documentation appropriate to how your organization uses the product.
If you are evaluating AuditCare under a policy that requires a BAA regardless of PHI use, email us and we will align on timeline and scope.
Contact: security@apiarylabs.com — subject line "Enterprise / BAA" or "HIPAA inquiry".
Honest status for common procurement questions.
| Topic | Status | Notes |
|---|---|---|
| HIPAA (formal program) | Pending | Enterprise deliverable; product is not intended to hold PHI. We will document safeguards and obligations appropriate to your use case. |
| Business Associate Agreement | Pending | Available for enterprise contracts as we finalize legal and operational alignment—not required for typical self-assessment use where no PHI is entered. |
| SOC 2 | In progress | We are working toward SOC 2; timelines and report sharing are handled with customers directly as milestones land. |
| Vulnerability disclosure | Active | Report issues to security@apiarylabs.com. We aim to acknowledge quickly and coordinate responsible disclosure. |
If something goes wrong, we investigate, remediate, and notify affected customers as commitments in your agreement require.
For security-sensitive reports, use security@apiarylabs.com. Please include enough detail to reproduce or understand the concern. We do not publish a public status page on this site; enterprise customers can ask for our communication approach during onboarding.
Security & trust: security@apiarylabs.com