Enterprise-Grade Security

Trust Center

PRYM Wellness is built from the ground up to protect sensitive health data. Our platform meets the highest standards for healthcare data security, privacy, and regulatory compliance.

Compliance & Certifications

Our platform adheres to the most rigorous healthcare and data security standards, ensuring your practice and patients are always protected.

HIPAA Compliant

Active

Full compliance with the Health Insurance Portability and Accountability Act. All PHI is handled according to the Privacy Rule, Security Rule, and Breach Notification Rule. Business Associate Agreements (BAAs) executed with all subprocessors.

SOC 2 Type II Controls

Implemented

Security, availability, and confidentiality controls aligned with AICPA SOC 2 Trust Services Criteria. Continuous monitoring and annual assessments ensure ongoing compliance with enterprise security standards.

State Privacy Laws

Compliant

Compliant with CCPA (California), SHIELD Act (New York), and other state-level health data privacy regulations. Patients have full rights to access, correct, and delete their health information.

HITECH Act

Active

Compliance with the Health Information Technology for Economic and Clinical Health Act, including enhanced enforcement of HIPAA rules, breach notification requirements, and meaningful use of electronic health records.

Technical Security Architecture

Multi-layered security controls protect data at every stage — from collection through storage, processing, and transmission.

Encryption

AES-256 encryption for all data at rest
TLS 1.3 for all data in transit
End-to-end encrypted telehealth video (SRTP/DTLS)
Encrypted database connections with certificate pinning
Client-side encryption for sensitive form fields

Access Control

Role-based access control (RBAC) with least-privilege
Multi-factor authentication for admin accounts
OAuth 2.0 + JWT session management
Automatic session timeout and re-authentication
IP allowlisting for administrative access

Data Storage

HIPAA-eligible cloud infrastructure (TiDB Cloud)
Automated encrypted backups with point-in-time recovery
Data residency controls (US-based servers)
Logical data isolation between partner tenants
Secure deletion with cryptographic erasure

Network Security

Web Application Firewall (WAF) protection
DDoS mitigation with automatic scaling
Private network segmentation for backend services
Intrusion detection and prevention systems
Regular penetration testing by third-party firms

Monitoring & Audit

Comprehensive audit logging of all PHI access
Real-time security event monitoring (SIEM)
Automated anomaly detection and alerting
90-day audit log retention (extendable)
Quarterly access reviews and privilege audits

Incident Response

Documented incident response plan (IRP)
24-hour breach notification to affected parties
Automated containment and forensic procedures
Regular tabletop exercises and plan testing
Designated Privacy Officer and Security Officer

How We Protect Patient Data

Every piece of patient health information follows a secure path through our platform. Here's how data moves from collection to delivery — with protection at every step.

Secure Collection

Patient data is collected through HTTPS-encrypted forms with client-side validation. Telehealth sessions use SRTP-encrypted video streams. Lab orders are transmitted via encrypted API connections to partner laboratories.

Encrypted Transit

All data in transit uses TLS 1.3 with perfect forward secrecy. API calls between services use mutual TLS authentication. No PHI is ever transmitted in plain text or via unencrypted channels.

Secure Storage

Data at rest is encrypted with AES-256. Database fields containing PHI use column-level encryption. File attachments (lab results, documents) are stored in encrypted S3 buckets with access logging enabled.

Controlled Access

Role-based access ensures providers only see their own patients' data. Admin access requires MFA. Every PHI access event is logged with timestamp, user identity, and action taken.

Secure Delivery

Lab results and health records are delivered through the encrypted patient portal. Email notifications contain no PHI — only secure links requiring authentication. PDF exports are generated server-side and transmitted encrypted.

Partner Security Guarantees

Business Associate Agreement (BAA) included with every partner agreement

Tenant data isolation — your patients' data is never co-mingled

Data portability — full export of your data at any time, in standard formats

99.9% uptime SLA with transparent status page

72-hour breach notification commitment (exceeds HIPAA 60-day requirement)

Dedicated security contact for enterprise partners

US-only data residency — no offshore data processing

Annual third-party security assessments shared with partners

Subprocessors & Infrastructure

We carefully vet every third-party service that handles patient data. All subprocessors have executed BAAs and meet our security requirements.

Service	Purpose	Data Location	BAA Status
TiDB Cloud	Primary database (patient records, PHI)	US (AWS us-east-1)	Executed
AWS S3	File storage (lab results, documents)	US (us-east-1)	Executed
Daily.co	HIPAA-compliant telehealth video	US	Executed
Genova Diagnostics	Laboratory testing and results	US (Asheville, NC)	Executed
CoastDx	PCR laboratory testing	US	Executed
Resend	Transactional email (no PHI in body)	US	Executed
NMI Gateway	Payment processing (PCI DSS Level 1)	US	N/A (no PHI)
Cloudflare	CDN, WAF, DDoS protection	US Edge	Executed

Security FAQ

Is PRYM HIPAA compliant?

Yes. PRYM Wellness maintains full HIPAA compliance across all platform services including telehealth, lab ordering, patient records, and e-commerce. We execute Business Associate Agreements (BAAs) with all partners and subprocessors, and our infrastructure is built on HIPAA-eligible cloud services.

How is patient data encrypted?

All data at rest is encrypted using AES-256 encryption. Data in transit uses TLS 1.3 with perfect forward secrecy. Telehealth video streams use SRTP/DTLS encryption. Database connections use certificate-pinned encrypted channels. Sensitive fields use additional column-level encryption.

Can I get a copy of your BAA?

Absolutely. A Business Associate Agreement is included as part of every partner agreement. You can review and sign it during the partner onboarding process, or request a copy by contacting our compliance team.

Where is patient data stored?

All patient data is stored exclusively on US-based servers. Our primary database runs on TiDB Cloud (AWS us-east-1), and file storage uses AWS S3 in the same region. We do not process or store any PHI outside the United States.

What happens if there's a data breach?

We maintain a documented Incident Response Plan. In the event of a breach, we commit to notifying affected partners within 72 hours — well ahead of HIPAA's 60-day requirement. Our response includes automated containment, forensic investigation, regulatory notification, and remediation.

How do you handle data when a partner leaves?

Partners can export all their data at any time in standard formats (CSV, JSON, PDF). Upon termination, we securely delete all partner-specific data within 30 days using cryptographic erasure, and provide written confirmation of deletion.

Do you conduct security audits?

Yes. We conduct annual third-party security assessments, regular penetration testing, and quarterly internal access reviews. Results are available to enterprise partners under NDA upon request.

Ready to Partner with Confidence?

Join a growing network of healthcare providers who trust PRYM Wellness to protect their patients' data while delivering cutting-edge telehealth, lab testing, and wellness solutions.

Questions about our security practices? Contact our Privacy Officer at [email protected]

Command Palette