Security at AlignSure

AlignSure is designed from the ground up to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. Our platform implements administrative, physical, and technical safeguards as required by the HIPAA Security Rule.

All protected health information (PHI) processed through AlignSure is handled in accordance with the HIPAA Privacy Rule. Our workforce receives regular HIPAA training, and we maintain comprehensive policies and procedures governing the handling of PHI.

AlignSure conducts regular risk assessments and vulnerability scans to identify and address potential threats to the confidentiality, integrity, and availability of PHI.

AlignSure executes Business Associate Agreements (BAAs) with all customers who require them. Our BAA covers all services provided through the AlignSure platform and clearly defines the responsibilities of both parties with respect to PHI.

We maintain BAAs with all subprocessors and downstream vendors who may access PHI on behalf of our customers. A current list of subprocessors is available upon request.

AlignSure leverages Microsoft Entra ID (formerly Azure AD) as its identity provider. All authentication flows use OAuth 2.0 and OpenID Connect protocols, ensuring secure, standards-based authentication.

User sessions are bound to their Microsoft identity. There are no local passwords stored within AlignSure. Multi-factor authentication (MFA) policies configured in your Microsoft tenant are respected and enforced.

Administrative access to AlignSure infrastructure requires Privileged Identity Management (PIM) with time-bound, just-in-time access elevation.

Each AlignSure customer operates within a logically isolated environment. Data partitioning is enforced at the application, database, and storage layers. No customer can access, query, or infer data belonging to another tenant.

Tenant isolation is validated through automated testing and periodic penetration tests. Our architecture ensures that a compromise of one tenant cannot propagate to another.

All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic rotation.

PHI is subject to additional encryption controls. Database fields containing PHI are encrypted at the column level, providing defense-in-depth beyond full-disk encryption.

AlignSure maintains a documented incident response plan that is tested and updated regularly. Our incident response process includes identification, containment, eradication, recovery, and post-incident review phases.

In the event of a security incident involving PHI, AlignSure will notify affected customers within the timeframes required by HIPAA and applicable state breach notification laws. Notifications include a description of the incident, the types of information involved, and recommended mitigation steps.

AlignSure is pursuing SOC 2 Type II certification. Our controls are designed in alignment with the Trust Services Criteria for security, availability, and confidentiality.

We anticipate completing our initial SOC 2 Type I audit in the near term, followed by a SOC 2 Type II engagement covering a minimum observation period. Updates on our certification timeline are available upon request.