Headed to Health AI Summit '26? So are we! Schedule an onsite demo
Trust · Security & compliance

Built HIPAA-native from day one.

HITRUST r2 + HIPAA + SOC 2 + PCI. PHI redacted before storage. Revalidation costs $2M+ and 18 months to replicate — a durable compliance moat.

HITRUST r2 (CSF) · HIPAA · HITECH · SOC 2 Type II · PCI DSS · ISO 27001 · CCPA · GDPR
Audited, certified, and BAA-covered out of the box.
Compliance pillars

Four certifications. One regulated platform.

Healthcare AI ships into the most regulated workflows in the industry. Aqurio's compliance posture is the substrate — not a checkbox added before the close.

1

HITRUST r2 (CSF) certified.

The highest assurance level HITRUST offers. r2 covers 19 control families with control inheritance from HIPAA, NIST 800-53, ISO 27001, and PCI DSS. Revalidation costs $2M+ and 18 months — a moat no competitor can replicate quickly.

HITRUST r2 · the durable compliance moat
2

HIPAA-native.

BAA on day one of every customer agreement. PHI redacted before storage. TLS 1.3 + AES-256. RBAC end-to-end. 7-year audit retention. Built around the HITECH compliance floor — not retrofitted on top of a generic SaaS.

100% of deployments BAA-covered from kickoff
3

SOC 2 Type II certified.

Security, Availability, and Confidentiality trust services criteria — audited annually by an external firm. Customer-facing reports and Bridge Letters available under NDA. Aqurio's SOC 2 boundary covers every workflow that touches PHI.

Annual external audit · Bridge Letters under NDA
4

PCI DSS compliant.

Card-handling workflows (POS collections, treatment-plan deposits, copays) certified to PCI DSS. Cardholder data never enters Aqurio's primary processing path — tokenisation at capture, scope kept minimal by design.

PCI scope minimised by tokenisation at capture

From call answer to encrypted archive. One protected lifecycle.

Six steps Aqurio applies to every patient interaction — voice, SMS, or chat — without exception.

1

Authenticate

Caller identified or new chart staged, TLS 1.3 session established, RBAC scope applied before any data exchange.

2

Capture

Audio + transcript captured with PII/PHI redaction tags on the fly; recording consent captured per state law.

3

Encrypt

Envelope encryption applied with customer-scoped KMS keys; transit secured with TLS 1.3 + certificate pinning.

4

Write-back

EHR posts via signed, audited connectors (Epic, Cerner, Athena, eCW, NextGen) — every field write recorded with actor + timestamp.

5

Audit

Tamper-evident log of every access, write, and decision; 7-year retention per HIPAA; optional SIEM forwarding to customer environment.

6

Archive

Recordings + transcripts moved to encrypted cold storage on a customer-configurable schedule; right-to-delete enforced on patient request.

End-to-end, every Aqurio interaction is governed by HIPAA-aligned controls, audited under SOC 2 Type II, and reviewable through the same audit trail your CISO already uses in their SIEM.

Frequently asked questions

Questions every CISO asks before signing.

Does Aqurio sign a BAA?
Yes. Every Aqurio customer agreement includes a Business Associate Agreement at signature — not after a separate negotiation. BAAs are pre-signed at the master agreement level so no workflow goes live without one in force.
What compliance certifications does Aqurio hold?
HIPAA-aligned controls (BAA-covered), SOC 2 Type II (Security, Availability, Confidentiality), HITRUST CSF certification, HITECH alignment, PCI DSS for any card-handling workflows, ISO 27001, plus CCPA and GDPR compliance. Customer-facing audit reports available under NDA.
How is patient data encrypted?
TLS 1.3 in transit, AES-256 at rest. PHI is encrypted with envelope encryption using customer-scoped keys. All keys rotated automatically on a 90-day schedule, with HSM-backed root-of-trust. Recorded calls and transcripts are stored in encrypted object storage with per-customer KMS keys.
Where is data stored and processed?
All Aqurio infrastructure runs in U.S.-based AWS regions (us-east-1 and us-west-2). Data residency is enforced at the infrastructure level — no cross-border transfer for any U.S. healthcare customer. SOC 2 audited boundary.
How does Aqurio handle access controls?
Role-based access control (RBAC) end-to-end, with least-privilege defaults. SSO via SAML 2.0 or OIDC, MFA required for all staff, just-in-time access elevation for any operator-side data review, full audit log of every access event preserved 7 years per HIPAA retention.
What is Aqurio's breach-notification process?
Per HIPAA and contractual obligations, Aqurio notifies affected customers without unreasonable delay (target: within 24 hours of confirmed breach). Customer incident-response runbook shared at onboarding, with a documented escalation path and assigned single point of contact.

Smarter healthcare starts with us, together.

Book a demo to explore our platform, or talk with an AI expert about solutions custom-tailored to your needs.