Your data security is our foundation
Purechart is built from the ground up with security at its core — meeting HIPAA, international data protection laws, and industry-leading security frameworks.
Encryption
Your data is encrypted everywhere — at rest, in transit, and in backups.
- AES-256 encryption at rest — All stored data including patient records, X-rays, documents, and backups
- TLS 1.2+ encryption in transit — All communications between your devices and Purechart servers
- Encrypted backups — Geographically redundant, encrypted backups across multiple availability zones
- API encryption — All API endpoints require authenticated, encrypted HTTPS connections
Access Controls
Granular permissions ensure the right people see the right data.
- Role-based access control (RBAC) — Administrator, Provider, Hygienist, Front Desk, and custom roles
- Multi-factor authentication (MFA) — Optional MFA for all users, mandatory for administrators
- Automatic session timeouts — Configurable idle timeout to prevent unauthorized access
- Unique user identification — Every action is tied to an individual user account, no shared logins
- IP allowlisting — Optional restriction of access to approved networks for enterprise customers
Infrastructure
Enterprise cloud infrastructure built for reliability and compliance.
- Google Cloud Platform (GCP) — SOC 2 Type II, ISO 27001, and HIPAA-certified infrastructure
- 99.9% uptime SLA — Redundant systems, load balancing, and automatic failover
- DDoS protection — Network-level DDoS mitigation and web application firewall (WAF)
- Intrusion detection — 24/7 monitoring, anomaly detection, and automated alerting
- Regular penetration testing — Third-party security assessments and vulnerability scanning
Audit & Monitoring
Complete visibility into who accessed what, when, and from where.
- Comprehensive audit logs — Every access, modification, and deletion of patient data is logged with user, timestamp, IP, and action
- Tamper-proof logs — Audit logs are stored in append-only storage and cannot be modified or deleted
- Real-time alerts — Automated notifications for suspicious activity, failed login attempts, and unusual access patterns
- Exportable audit reports — Generate compliance reports for internal audits, regulatory inquiries, or legal requirements
International Compliance
Purechart meets data protection standards across the Americas and beyond, ensuring your practice is compliant wherever you operate.
Full compliance with Privacy Rule, Security Rule, and Breach Notification Rule
Data subject rights, DPIAs, Standard Contractual Clauses for transfers
Aligned with Lei Geral de Proteção de Dados principles and data subject rights
Authorization-based processing, access, correction, and deletion rights
Privacy notices, consent mechanisms, and ARCO rights support
Consent-based collection, purpose limitation, and safeguards for personal health information
Have security questions?
Our security team is available to answer questions, provide compliance documentation, or discuss your specific requirements.