Trust Center
How we handle your bill data.
Audra processes data that's adjacent to PHI under HIPAA. We treat it like it's our own. Here's exactly how — security controls, every subprocessor we use, and our current compliance posture.
Security controls
Encryption at rest
Every uploaded bill is encrypted in the browser with AES-256-GCM before it leaves the device. We store the ciphertext + a per-record envelope key (KMS-wrapped). The plaintext bill is never written to our servers.
Encryption in transit
TLS 1.2+ enforced on every connection. HSTS preload, server-side certificate pinning on internal subprocessor calls.
Access control
Production database access is logged + role-based with least-privilege defaults. Engineers do not have standing access to user data; break-glass operations are audited.
Audit logging
Every access to a user’s audit is logged with actor, action, timestamp, and IP. Logs are immutable and retained 6 years (HIPAA-aligned). Users can request an excerpt of their own log via /settings/activity.
Backups + verification
Daily encrypted database backups retained 30 days, with a separate canary-row verification cron (api/cron/backup-canary) that confirms the backup actually restores. Failures open an incident on /status.
Incident response
Breach-notification target of 48 hours to affected users + any signed-BAA partners. The /status page is updated in real time during any user-facing degradation.
Two-factor auth
TOTP 2FA available on every account from /settings/security. Backup codes are issued at enrollment so account recovery never requires email support.
New-device alerts
A successful sign-in from a device we haven’t seen before fires a single notification email so users can react fast if it wasn’t them.
Subprocessors
The vendors that touch user data on Audra's behalf. We maintain current BAAs with every subprocessor flagged as “Handles PHI” where HIPAA requires one. This list is reviewed quarterly; material changes are announced via the blog feed.
| Vendor | Purpose | Location | PHI |
|---|---|---|---|
| Supabase, Inc. | Postgres database, authentication, storage, edge functions | United States (primary), with edge presence globally | Handles |
| Vercel, Inc. | Application hosting + edge CDN for the web app and APIs | United States | None |
| Amazon Web Services, Inc. | AWS Textract for OCR of uploaded bill images + PDFs | United States (us-east-1) | Handles |
| Anthropic, PBC | Claude Sonnet 4.5 inference for audit analysis + appeal-letter drafting | United States | Handles |
| Stripe, Inc. | Payment processing (subscriptions + one-time charges, refunds, payouts) | United States | None |
| Resend, Inc. | Transactional + marketing email delivery | United States | None |
| Sentry (Functional Software, Inc.) | Application error monitoring (stack traces, no user content) | United States | None |
| Cloudflare, Inc. | Turnstile bot-protection challenge on signup | United States | None |
Compliance posture
HIPAA BAA available
ActiveCounter-signed BAA template at /legal/baa. Partner orgs can countersign via /settings/security or by emailing support.
SOC 2 Type II
In progressAudit period started Q2 2026 with a Big-4-tier audit firm. Report target: Q4 2026.
GDPR + CCPA data export / deletion
ActiveSelf-serve export + deletion at /settings/data. Deletion includes a 30-day grace window before permanent purge.
PCI DSS
N/AWe never see card data. Stripe handles all PCI scope; we never store, process, or transmit primary account numbers.
Things we don't do
- Train AI models on private user bills. Audit-pipeline LLM calls do not contribute back to model training. We use synthetic data + the public, opt-in research dataset for model improvements.
- Sell, share, or aggregate user data with marketing partners.
- Practice medicine or law. Audra surfaces billing-rule violations; we don't opine on clinical decisions.
Need something specific?
For a security questionnaire response, signed BAA, DPA, or a custom subprocessor disclosure, email [email protected]. We respond within one business day.
Last reviewed June 2026. Quarterly review cadence.