Security & Compliance
Path.systems is built with healthcare-grade security. HIPAA compliant, SOC2 Type II certified, with end-to-end encryption and comprehensive audit logging.
HIPAA Compliant
All data handling follows HIPAA requirements. Business Associate Agreements (BAA) available for US-based customers.
SOC2 Type II
Annual SOC2 Type II audit covering security, availability, processing integrity, and confidentiality.
POPIA Compliant
Compliant with South Africa's Protection of Personal Information Act for handling patient data.
ISO 27001
Information security management system aligned with ISO 27001 controls.
Encryption
| Layer | Standard | Details |
|---|---|---|
| Data in Transit | TLS 1.3 | All API, FHIR, and web traffic is encrypted with TLS 1.3. HSTS enforced with 1-year max-age, includeSubDomains, preload. |
| Data at Rest | AES-256-GCM | All database fields containing PHI are encrypted using AES-256-GCM with per-organization keys. |
| Backups | AES-256 | Database backups are encrypted at rest using AES-256 with keys managed by the cloud provider's KMS. |
| HL7 / MLLP | TLS 1.2+ | All HL7 MLLP connections use TLS. Plaintext MLLP is not supported. |
Access Control
Role-Based Access
| Role | Patients | Requests | Results | Billing | Settings |
|---|---|---|---|---|---|
| Admin | Full | Full | Full | Full | Full |
| Pathologist | Read | Full | Full | Read | None |
| Technologist | Read/Create | Full | Create | None | None |
| Billing | Read | Read | Read | Full | None |
| Reception | Full | Create | None | None | None |
| Read-only | Read | Read | Read | Read | None |
Authentication
- Multi-factor Authentication (MFA) — TOTP-based MFA via authenticator apps. Can be enforced org-wide by admins.
- SSO — SAML 2.0 and OpenID Connect support for enterprise SSO providers (Okta, Azure AD, Google Workspace).
- Session Management — configurable session timeout (default 8 hours). Sessions are invalidated on password change.
- Password Policy — minimum 12 characters, at least one uppercase, one lowercase, one number. Passwords are hashed with Argon2id.
Security Headers
All responses include the following security headers:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';
frame-ancestors 'none'; base-uri 'self'Audit Logging
All user and system actions are recorded in an immutable audit log. View the audit log in Settings → Logs or export via API.
Logged Events
| Category | Events |
|---|---|
| Authentication | Login, logout, failed login, MFA challenge, password change, API key created/revoked |
| Patient | Created, updated, deactivated, viewed, searched |
| Lab Request | Created, status changed, cancelled, deactivated |
| Results | Received, viewed, critical flag acknowledged |
| Billing | Export initiated, invoice assigned |
| Integration | Connection established, connection failed, message sent/received |
| Settings | User invited, role changed, location created/deleted, webhook configured |
Each log entry includes: timestamp, user ID, user name, IP address, action, resource type, resource ID, and a diff of changed fields (for update operations).
Infrastructure
| Aspect | Details |
|---|---|
| Cloud Provider | Deployed on isolated infrastructure with SOC2-certified cloud providers |
| Data Residency | South Africa (primary), with optional EU and US regions for global customers |
| Backups | Automated daily backups with 30-day retention. Point-in-time recovery available. |
| Uptime SLA | 99.99% uptime SLA for Professional and Enterprise tiers |
| DDoS Protection | Layer 3/4 DDoS mitigation included. Layer 7 WAF on Enterprise tier. |
| Vulnerability Scanning | Automated dependency scanning, weekly penetration testing |
| Incident Response | 24-hour incident response SLA. Security incidents reported within 72 hours per POPIA requirements. |
Data Retention & Deletion
Patient data is retained for the duration of your subscription plus a 90-day grace period. Under POPIA and HIPAA:
- Patients can request data export (JSON/PDF) via their provider
- Deactivated patient records are soft-deleted and excluded from queries by default
- Full data deletion requests are processed within 30 days and confirmed in writing
- Audit logs are retained for 7 years per healthcare regulatory requirements
Data Processing Agreement
security@path.systems to request one, or download the standard DPA from Settings → Security → Documents.