Security program, documented in detail.
The ApiVoc security program covers eight functional domains. All controls operate on a single Microsoft Azure tenant in US regions, governed by Microsoft Entra ID, and continuously monitored through Drata.
At rest and in transit, end to end.
Encryption is enforced at every layer where data is stored or transmitted. AES-256 at rest, TLS 1.2 or higher in transit. Key management runs through Azure Key Vault.
At rest
Layer
Method
Cipher
Key management
In transit
Connection
Protocol
Cipher
Notes
Eight domains, all owned.
Each domain has documented policies, designated owners, technical controls, and evidence collected continuously through Drata.
Identity & access
Microsoft Entra ID with MFA enforced for all workforce accounts. Role-based access control. Just-in-time elevation for privileged operations. Quarterly access reviews. Termination removes access same-day.
Network security
Single Azure tenant, US regions only. Azure Private Link for service-to-service traffic where supported. WAF on public endpoints. No public RDP/SSH; bastion-only administrative access.
Data protection
AES-256 encryption at rest across databases, storage, and backups. TLS 1.2+ in transit with strong ciphers. Azure Key Vault for key management. Data classification and handling procedures documented.
Application security
Secure SDLC with code review on every change. Static and dependency analysis in CI. Secrets management via Azure Key Vault. Vulnerability management aligned with CVSS-based remediation timelines.
Logging & monitoring
Centralized logging through Azure Monitor and Log Analytics. Authentication, access, and PHI disclosure logging. Continuous compliance monitoring through Drata. Anomaly review on a documented cadence.
Incident response
Documented incident response plan with defined roles, severity levels, and communication procedures. Integrated with HIPAA breach response. Tabletop exercises conducted regularly.
Business continuity
Documented BCP and DR procedures. RTO and RPO defined per system criticality. Backups tested. Annual tabletop exercise. Multi-region capability where required.
Vendor risk management
Vendor risk assessment before onboarding. BAA execution before any PHI exchange. Annual reviews of critical vendors. Documented offboarding procedures.
The numbers we work to.
Internal SLAs that govern how the security program operates day-to-day. These are the same numbers we report against in audits, vendor questionnaires, and customer reviews.
Critical vulnerability remediation
CVSS 9.0+ or actively exploited. Tracked to closure with executive visibility.
High vulnerability remediation
CVSS 7.0–8.9. Standard remediation cycle through change management.
Production access provisioning
For approved requests. Includes role-based access review at provisioning time.
Access termination
On workforce departure or role change. Most terminations execute within hours.
Incident triage
For confirmed security incidents. Integrated with on-call rotation.
BA breach notification
BA → CE notification per HIPAA §164.410. Notification often substantially earlier.
Reporting and inquiries.
For security questionnaires, vulnerability reports, or any security-program inquiry, route directly to our CISO.
CISO
For vulnerability reports
Send details directly to Nick. Acknowledged within one business day. Full response timing depends on severity. We work in good faith with security researchers and don't pursue legal action against good-faith disclosure.