Security & compliance

Built for the practice. Designed for the regulator.

CredOps AI runs on HIPAA-eligible cloud infrastructure. We minimize what we store, encrypt what we keep, and make our practices legible — so your compliance officer can sign off without a forty-page questionnaire.

Request a BAA See the architecture ↓

No PHI ever

CredOps handles provider credentials, not patient records.

HIPAA-eligible cloud

Compute, storage, encryption, and audit logging — all under a signed cloud BAA.

BAA available

Signed Business Associate Agreement on request, at every tier.

Region-locked AI

Our AI is invoked through a HIPAA-eligible, US-hosted endpoint. No training on your data.

Encryption at rest & transit

AES-256 with managed keys at rest; TLS 1.2+ in transit.

Audit trail by default

Every field change, login, and document access is logged.

Where we are today

The controls that are live, on day one.

The security foundation is in production from the first signup — not deferred to a later milestone.

Compliance program status UPDATED · 2026-05-23

HIPAA-eligible cloud infrastructureAll services covered under our cloud BAA · US-hosted Live

Customer BAASigned at no additional cost, every paid tier Available

Encryption at rest & in transitAES-256 with managed keys · per-tenant scoped · TLS 1.2+ enforced Live

AI runs region-locked, with zero retentionAI calls are stateless · the provider does not store inputs or outputs and does not train on customer data Live

Application audit logEvery field change, login, and document access · infrastructure access also captured Live

Architecture at a glance

Modern. Per-tenant scoped. Auditable end to end.

A simple data-flow diagram a compliance officer can sign off on — the same controls applied at every layer.

DATA FLOW · CREDOPS AI · PRODUCTION US (primary) · US (disaster recovery)

Client

CredOps web appEncrypted session

Document uploadEncrypted upload

Edge & application

Edge protectionDDoS protection · WAF

API tierTenant-scoped · least privilege

AI assistStateless · no training

Storage & audit

Encrypted databaseAES-256 · per-tenant keys

Encrypted document storeVersioned & immutable

Immutable audit logLong-term retention

HostingUS, multi-region

EncryptionAES-256 · TLS 1.2+

Tenant isolationEnforced at every layer

BackupsPoint-in-time + cross-region replicas

What we store · what we don't

The smallest data surface a credentialing tool can have.

The cheapest way to be HIPAA-compliant is to not handle PHI. We took that principle seriously from the architecture stage.

What CredOps stores

PROVIDER OPERATIONAL DATA · ENCRYPTED AT REST

Provider identifiers — NPI, DEA, CAQH ID, state license numbers
Credential documents — license PDFs, DEA registrations, malpractice COIs, board certifications
Payer enrollment status — submission dates, payer responses, day counts
Office-manager accounts — name, work email, role (no SSNs, no personal addresses)
Optional credential vault — CAQH, payer-portal, and DEA portal credentials, encrypted with envelope encryption and never exposed in plaintext

What CredOps does NOT store

PHI & CATEGORIES WE'VE INTENTIONALLY EXCLUDED

Patient records (PHI) — never collected, never accepted via upload
Plaintext portal passwords — credentials in the optional vault are encrypted with envelope encryption; even our engineers cannot read them
Billing or claims data — out of scope, intentionally
Marketing trackers in-app — no third-party analytics on authenticated screens

AI data handling

How AI sees a document — and what happens after.

When you ask AI to read a license, the document moves through a path designed to be both useful and accountable.

Upload to private, encrypted storage

Document lands in a per-tenant encrypted document store. Server-side encryption with managed keys. No public URL is ever generated.

Pages stream to the AI provider

Pages are sent to our AI model over a private network channel. The request is stateless — the AI provider does not retain inputs or outputs.

Structured fields return with confidence scores

The AI returns a JSON payload with extracted fields and per-field confidence. The raw document is never replaced — only annotated.

Human review before save

Nothing is committed to the credential record until a user explicitly approves. AI is an assistant, never an auto-writer.

Audit log entry written

Every extraction is logged with the model version, confidence vector, and reviewing user — recoverable for seven years.

What this means in practice

Your documents are not training data. The AI provider has a contractual zero-retention guarantee — customer inputs and outputs are never used to train any model.
You can review and undo. Every AI suggestion has a confidence score and a reject button. Rejected suggestions are kept in the audit log for review-quality analysis.
Stays in the US. AI invocations are pinned to a US-hosted, HIPAA-eligible endpoint — the same residency as the rest of your data.
You can turn it off. AI extraction is a feature flag, per workspace. Stay manual if your compliance team prefers.

Responsible disclosure

Found a security issue? Tell us first.

We don't run a paid bounty yet, but we acknowledge every report within one business day, fix critical issues within seven, and credit researchers publicly (with your permission).

1 business day acknowledgment 7 days for critical fixes Researcher credit on request

SECURITY CONTACT

security@credops.ai

PGP fingerprint — available on request

REQUEST A BAA

Email legal@credops.ai with your practice name and the name of the person who can sign. Signed and returned within two business days.

Request the security packet

Security FAQ

The specific questions your compliance officer will ask.

If yours isn't here, write to security@credops.ai — we answer in plain English, with citations.

What formal certifications do you have today?

We have not yet completed third-party security certifications under the CredOps brand. The cloud infrastructure we run on is itself HIPAA-eligible and independently audited — we can share those reports under NDA as part of our security packet. We will pursue our own formal certifications once we have the customer base to make the audit meaningful, and we'll publish the timeline here when it's scheduled.

Is the cloud BAA the same as your BAA with us?

No — they are two separate agreements. Our cloud provider gives us a BAA covering the infrastructure (HIPAA-eligible services). We give you a BAA covering CredOps as a business associate of your practice. Both are required for HIPAA coverage of the data chain.

Where does customer data live?

All customer data is hosted in the United States, in a primary region with disaster-recovery replication to a second US region. All data is encrypted at rest with managed keys. We do not currently offer EU or Canadian data residency — reach out if that's a requirement.

What happens to my data if I cancel?

You can export everything as CSV plus original document files at any time. On cancellation, your data is retained in a frozen state for 30 days (in case you change your mind), then hard-deleted — including from backups within 90 days. We send written confirmation when deletion completes.

Do you support SSO and SCIM?

SSO with Google Workspace and Microsoft Entra is available on the Group tier. SCIM provisioning is not yet available; it's on the roadmap for late 2026.

Who can see my data inside CredOps?

Only the office-manager accounts you've explicitly invited. Internal access is limited to a small, named engineering group, requires SSO with MFA, and every action is captured in the immutable audit log. We never read your documents to "improve the product" — the AI pipeline runs without human-in-the-loop on your tenant.

How do you handle a credential breach?

A documented incident response plan kicks in. We assess scope within 4 hours, notify affected customers within 24 hours, and publish a public postmortem within 7 days. For HIPAA-reportable breaches we follow the 60-day HHS notification requirement.

Can I get a custom DPA or security questionnaire response?

Yes — we maintain pre-filled responses for the CAQ, SIG Lite, and the OCR HIPAA Audit Protocol. We can sign custom DPAs for any paid tier. Email legal@credops.ai with what you need.