MEDPLAZA INC
Security

Security at Medplaza.

Healthcare AI requires healthcare-grade security. Our products are engineered around HIPAA controls and the operational rigor enterprise buyers expect from SOC 2 audited vendors.

Last reviewed: May 26, 2026

HIPAA Compliance

Medplaza products that handle protected health information operate under controls aligned with the HIPAA Security Rule:

  • Encryption at rest using AES-256 and in transit using TLS 1.2 or higher.
  • Role-based access controls with least-privilege provisioning.
  • Audit logging of access to PHI and administrative actions.
  • Annual risk assessments and policy review.
  • Designated Privacy Officer and Security Officer.
  • Workforce training on HIPAA and information-security responsibilities.

SOC 2

Medplaza is currently in the evaluation phase for SOC 2, with active controls implementation in progress. We are pursuing a SOC 2 Type II audit. Current status, control mapping, and timeline are available to enterprise prospects under NDA. To request the current status packet, use our contact form.

Business Associate Agreements

Medplaza products that touch PHI offer product-level Business Associate Agreements to covered-entity customers as part of onboarding. See BAA availability for the request process and what to expect.

Subprocessors

The medplaza.com marketing site itself does not process PHI. Site operations rely on the following subprocessors. A full and current list is maintained in our Privacy Policy.

VendorPurposeData categoryBAA
Vercel Inc.Web hosting and edge deliverySite logs and contact-form metadata in transitYes — Vercel offers a BAA on Enterprise; medplaza.com itself processes no PHI
ResendTransactional email (contact-form replies)Name, email, free-text messageNot required (no PHI)

Responsible Disclosure

If you believe you have discovered a security vulnerability affecting Medplaza or the Site, please report it through our contact formwith “Security Disclosure” in your message. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure, and that you do not access data beyond what is necessary to demonstrate the issue. We acknowledge reports within five business days. We do not currently run a public bug bounty program.