COMPLIANCE
Compliance & Trust Center
Built for regulated healthcare from day one — not bolted on as an afterthought
HIPAA
PHI protection, Business Associate Agreements, encryption at rest and in transit, immutable audit trails
SOC 2 Type II
Trust services criteria for security, availability, processing integrity, confidentiality, and privacy
FDA
Clinical validation for AI-assisted dermatology diagnostics, De Novo classification pathway
EU AI Act
High-risk AI system requirements, transparency obligations, human oversight provisions
GDPR
Data protection for EU/EEA subjects, lawful processing basis, international transfer safeguards
CCPA / State Privacy
California Consumer Privacy Act and applicable US state privacy law compliance
Data Encryption
- AES-256-GCM encryption for all Protected Health Information at rest
- TLS 1.2 or higher enforced for all data in transit, with TLS 1.3 preferred
- Per-tenant encryption keys managed through Cloud Key Management Service
- Automatic key rotation on 90-day cycles
- Encryption context includes tenant identifier and data classification metadata
Access Controls
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication required for all accounts accessing PHI
- 15-minute idle session timeout and 8-hour absolute session limit
- Emergency access (“break-glass”) procedures with enhanced audit logging and immediate supervisor notification
- Unique user identification for every account — shared credentials are prohibited
Audit Logging
- Immutable, append-only audit trails for all PHI access events
- Hash-chain integrity verification for tamper detection
- Six-year retention period per HIPAA requirements
- Every access event logged with who, what, when, where, and why
- Automated suspicious access pattern detection and alerting
- Daily integrity verification runs across the full audit chain
AI Fairness & Bias Auditing
Equitable AI is not a compliance checkbox — it is the foundation of OSAZ's mission. Our bias auditing practices go beyond regulatory requirements.
- Continuous bias detection and monitoring across Fitzpatrick skin types I through VI
- Published fairness metrics for all diagnostic models
- Enforced training data diversity requirements
- Model transparency reporting available to clinical partners
- Performance parity monitoring across demographic groups
- Regular third-party fairness audits
Infrastructure Security
- Deployed on Google Cloud Platform using only HIPAA-eligible services under a signed BAA
- Network isolation with private VPCs and strict firewall rules
- Container security scanning integrated into the CI/CD pipeline
- Regular penetration testing conducted by independent third-party security firms
- Continuous vulnerability scanning and timely patch management
- Software Bill of Materials (SBOM) generation for supply chain transparency
Business Associate Agreements
- BAAs available for all covered entities and business associates
- Subcontractor BAA chain maintained for all downstream data processors
- Breach notification procedures compliant with HIPAA's 60-day timeline
- BAA verification required before any PHI processing begins
- Standard BAA template available upon request
Data Residency & Sovereignty
- Primary data processing and storage in the United States
- EU/EEA data transfers secured through Standard Contractual Clauses (SCCs) and Data Processing Agreements
- Data residency options available for enterprise customers with specific jurisdictional requirements
- Lagos, Nigeria operations do not process PHI without appropriate cross-border data transfer safeguards
- Adequacy decision references applied where applicable
Incident Response
- Dedicated incident response team with defined roles and escalation procedures
- Continuous monitoring and anomaly detection for breach identification
- HIPAA-compliant breach notification within 60 days of discovery
- Affected individual notification with clear, actionable information
- Post-incident review, root cause analysis, and remediation documentation
- Annual incident response drills and tabletop exercises
Request Our Security Whitepaper
Get a detailed overview of our security architecture and compliance posture.
Request accessQuestions About Compliance?
Our compliance team is ready to discuss your requirements.
compliance@osaz.com