Security

Platinum Health Systems protects the data of thousands of chiropractic practices and their patients. Security is embedded in every layer of our platform — from infrastructure and application design to operational processes and employee training. Here is an overview of the measures we take to keep your data safe.

1. Infrastructure Security

• SOC 2 Type II Certified Data Centers: Our infrastructure is hosted in certified data centers with 24/7 physical security, biometric access controls, video surveillance, and environmental monitoring
• Geographic Redundancy: Data is replicated across multiple geographic regions to ensure availability and disaster recovery
• Network Security: Enterprise-grade firewalls, intrusion detection and prevention systems (IDS/IPS), and DDoS mitigation protect our network perimeter
• Isolated Environments: Customer data is logically isolated with strict tenant separation to prevent unauthorized cross-access

2. Data Encryption

• At Rest: All data stored in our systems is encrypted using AES-256, the same standard used by financial institutions and government agencies
• In Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.3, the latest transport security protocol
• Key Management: Encryption keys are managed using hardware security modules (HSMs) with automatic key rotation
• Database Encryption: All database fields containing PHI or sensitive data are encrypted at the field level

3. Application Security

• Secure Development Lifecycle: Security reviews and automated testing are integrated into every stage of our development process
• Vulnerability Scanning: Automated and manual scans identify and address vulnerabilities before they reach production
• Penetration Testing: Independent third-party security firms conduct annual penetration tests of our platform
• Dependency Management: All third-party libraries and dependencies are monitored for known vulnerabilities and updated promptly
• Code Reviews: All code changes undergo peer review with security-focused assessment before deployment

4. Access Controls

• Multi-Factor Authentication (MFA): MFA is available for all user accounts and required for administrative access
• Role-Based Access Control (RBAC): Granular permissions ensure users only access data and features appropriate to their role
• Session Management: Automatic session timeouts and concurrent session limits protect against unauthorized access
• Password Policies: Enforced password complexity requirements, rotation policies, and protection against known compromised passwords
• Audit Logging: Every access to patient data is logged with user identity, timestamp, and action performed

5. Monitoring & Incident Response

• 24/7 Monitoring: Continuous monitoring of all systems, networks, and applications with real-time alerting
• Security Operations Center: Dedicated security team monitors and responds to threats around the clock
• Incident Response Plan: Documented and regularly tested procedures for identifying, containing, and remediating security incidents
• Threat Intelligence: Integration with threat intelligence feeds to proactively identify and block emerging threats
• Log Retention: Security logs are retained for a minimum of 12 months for forensic analysis and compliance purposes

6. Business Continuity & Disaster Recovery

• Automated Backups: Continuous data backups with point-in-time recovery capabilities
• Recovery Time Objective: Designed for recovery within 4 hours in the event of a major outage
• Recovery Point Objective: Maximum data loss limited to 1 hour through continuous replication
• Disaster Recovery Testing: Regular DR drills and failover tests ensure recovery procedures work as planned
• Redundant Systems: All critical components are deployed in a highly available configuration with automatic failover

7. Employee Security

• Background Checks: All employees undergo comprehensive background checks prior to hire
• Security Training: Mandatory security awareness training upon hire and quarterly refreshers
• HIPAA Training: Annual HIPAA-specific training and certification for all personnel
• Least Privilege: Employee access follows the principle of least privilege with regular access reviews
• Confidentiality Agreements: All employees sign confidentiality and non-disclosure agreements

8. Compliance & Certifications

• HIPAA: Full compliance as a Business Associate — see our HIPAA Compliance page
• SOC 2 Type II: Independently audited and certified for security, availability, and confidentiality
• PCI DSS: Payment processing complies with Payment Card Industry Data Security Standards
• State Regulations: Compliance with applicable state data protection and medical record retention laws

9. Responsible Disclosure

We value the security research community and welcome responsible disclosure of potential vulnerabilities. If you discover a security issue, please contact our security team:

For more information about how we handle your data, please review our Privacy Policy and Terms of Service.